openssh bugs - Jul 2016 - [Bug 2602] New: (Feature request) Verify host using key in destination user account

https://bugzilla.mindrot.org/show_bug.cgi?id=2602

            Bug ID: 2602
           Summary: (Feature request) Verify host using key in destination
                    user account
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at edp.org

I would like ssh to provide host verification using a key in the
destination user account (as an alternative to using a key installed by
the system administrator).

It is not unusual to connect to systems where the user has an account
but does not control the system (e.g., accounts provided by schools,
employers, and other institutions or an account on a virtual server at
an ISP), and the institution may occasionally migrate the accounts to
new hardware while neglecting to migrate the host keys. This feature
would also be useful on development systems where the user reinstalls
the OS frequently (but retains the user data, possibly on a storage
volume separate from the OS).

If the destination account files contained a key (with permissions
granting access to sshd but denying access to other users), sshd could
access the key and use it to authenticate to the client ssh.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2602

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This isn't possible without breaking the guarantees that host key
checking is supposed to provide.

For the behaviour that you want, ssh would have to ignore a host key
verification failure at connection time, proceed with authentication
and fetch (presumably using sftp) the host key from the target system.
This is a substantial amount of work but, worse, it would require ssh
to complete authentication to a system that it does not trust.

Completing authentication means sending user credentials to the remote
server. This would allow phishing or connection spoofing by hostile
servers.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2602

--- Comment #2 from Eric Postpischil <bugzilla.mindrot.org at edp.org> ---
The second paragraph in the preceding comment contemplates an
implementation in which the ssh client does the work of retrieving the
key and verifying it. That is not necessary. When initially contacting
the server, the client would supply the name of a user on the server
system. The ssh server would read a key from that user?s files and use
it in the normal authentication process instead of the usual system
host key.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2602

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.