bugzilla-daemon at mindrot.org
2013-Sep-18 21:25 UTC
[Bug 2154] New: Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Bug ID: 2154 Summary: Avoid key lookup overhead when re-keying Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: imorgan at nas.nasa.gov Created attachment 2337 --> https://bugzilla.mindrot.org/attachment.cgi?id=2337&action=edit Cache the host key and compare against it when re-keying Proposal: Cache server host key after initial key exchange Currently, whenever a key exchange is triggered, the host key offered by the server must be verified. This may involve DNS queries or requests to read the known hosts files. This can be problematic if StrictHostKeyChecking is set to "yes" and the verification fails due to a temporary problem, such as a corrupted /etc/ssh/ssh_known_hosts file. It should also be noted that with increasing file transfer rates and server-side support for time-based re-keying, the overhead of frequent host key verification becomes more of an issue. For example, consider an environment where /etc/ssh/ssh_known_hosts is centrally managed and is the primary source for verifying the authenticity of hosts. Further, assume that StrictHostKeyChecking is set to "yes" and that a damaged copy of the ssh_known_hosts file is distributed to the client systems. Existing ssh connections which re-key while the damaged file is in place will fail to re-key and will then disconnect. This will tend to impact high-bandwidth connections, such as large file transfers or busy X11 sessions. It can also impact regular login sessions if time-based re-keying is enabled. To avoid these issues, it might be worthwhile to cache the host key used during the initial key exchange. On subsequent key exchanges, the cached copy of the previously verified host key could be compared against the offered host key to avoid some of the overhead. An initial patch has been attached to this bug, but I'm not sure if it has unintended any side-effects. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Sep-18 23:24 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2337|0 |1 is obsolete| | --- Comment #1 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2338 --> https://bugzilla.mindrot.org/attachment.cgi?id=2338&action=edit Move code slightly and add a debug() statement -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Sep-19 00:29 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Blocks| |2130 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- idea seems reasonable. I'm not sure I like the current implementation because the cached key is stored before all of the validation. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Sep-19 21:27 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 --- Comment #3 from Iain Morgan <imorgan at nas.nasa.gov> --- Created attachment 2341 --> https://bugzilla.mindrot.org/attachment.cgi?id=2341&action=edit Cache the key after the initial check -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Dec-05 00:57 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #4 from Damien Miller <djm at mindrot.org> --- One downside that just occurred to me: caching the key will skip revoked keys checks. I'm not sure whether this matters, since relying on rekeying to detect compromised keys is pretty hit and miss anyway. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Feb-05 23:17 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2188 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Retarget incomplete bugs / feature requests to 6.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Feb-05 23:19 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2130 | --- Comment #6 from Damien Miller <djm at mindrot.org> --- Retarget incomplete bugs / feature requests to 6.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-12 04:49 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2226 --- Comment #7 from Damien Miller <djm at mindrot.org> --- Retarget to 6.7 release, since 6.6 was mostly bugfixing. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-12 04:53 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2188 | --- Comment #8 from Damien Miller <djm at mindrot.org> --- Remove from 6.6 tracking bug -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 04:21 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2338|0 |1 is obsolete| | Attachment #2341|0 |1 is obsolete| | Status|NEW |ASSIGNED Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org --- Comment #9 from Damien Miller <djm at mindrot.org> --- Created attachment 2450 --> https://bugzilla.mindrot.org/attachment.cgi?id=2450&action=edit updated patch Update to -current -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 04:24 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gturner at unzane.com --- Comment #10 from Damien Miller <djm at mindrot.org> --- *** Bug 2194 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jul-03 22:24 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #11 from Damien Miller <djm at mindrot.org> --- applied - this will be in openssh-6.7. Thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Oct-07 21:00 UTC
[Bug 2154] Avoid key lookup overhead when re-keying
https://bugzilla.mindrot.org/show_bug.cgi?id=2154 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #12 from Damien Miller <djm at mindrot.org> --- Close all bugs left open from 6.6 and 6.7 releases. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 2305] New: sshd does not accept @cert-authority when doing host based authentication.
- [Bug 2194] New: Supress VisualHostKey message when re-keying
- [Bug 1798] New: Add fsync() support to sftp/sftp-server
- [Bug 1039] Incomplete application of HostKeyAlias in ssh
- [Bug 2152] New: Simplify handling of sftp(1) command flags