hi OpenSSH folks--
I have several OpenSSH sshd servers that i've maintained for a long
time. Some of them have keys that are considered short by today's
standards (e.g. 1024-bit RSA keys).
On these servers, I would like to be able to do a key rotation such that
multiple keys are valid during a time window so that users can learn the
new key before i remove the old one. I don't think this is currently
supported, but i'm interested in figuring out how something like this
might happen in the future.
Reading the spec i don't see an explicit prohibition against multiple
keys of the same key type, but i don't see how it would be handled
exactly in the protocol either:
https://tools.ietf.org/html/rfc4253#page-18
Looking at sshd.c, it seems to me that get_hostkey_by_type() only
permits sshd to offer a single key of each type.
Would it be possible for some sshd to offer more than one key of any
given type? If so, this would permit such a key transition from clients
that could support it? Or is there something in the spec that i'm not
seeing which makes this explicitly impossible?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130514/710048df/attachment.bin>
On Tue, 14 May 2013, Daniel Kahn Gillmor wrote:> Reading the spec i don't see an explicit prohibition against multiple > keys of the same key type, but i don't see how it would be handled > exactly in the protocol either: > > https://tools.ietf.org/html/rfc4253#page-18 > > Looking at sshd.c, it seems to me that get_hostkey_by_type() only > permits sshd to offer a single key of each type.Right. The protocol only supports sending a single host key as part of key exchange. E.g. RFC4253 section 8 (search for "K_S") We've toyed with an extension to express "since you trust this one, here all my other keys" but never implemented it. To my mind, it would look something like: byte SSH_MSG_HOSTKEYS string hostkeys string signature Where "hostkeys" contains: string hostkey[0] ... string hostkey[n] and "signature" is made with the hostkey that was used to sign the last KEX exchange. -d
Seemingly Similar Threads
- [PATCH] sshsig: check hashalg before selecting the RSA signature algorithm
- Weak DH primes and openssh
- [Bug 3219] New: Can't connect to a server that is using several host keys of the same type
- HostKey in hardware?
- Greeter openssh 7.4 is not according rfc4253.