openssh unix dev - Feb 2014 - [PATCH] verify against known fingerprints

I've just written this patch, it's undergone minimal testing and
"works
for me" and I'm after feedback as to acceptability of approach,
anything
I should be doing differently for the feature to be acceptable upstream
and what I should be doing about automated testing.

Use-case: you have the host's SSH fingerprints via an out-of-band
mechanism which you trust and want to be able to connect and have
verification use those known-good fingerprints and, if they match,
update known_hosts.

In our case, we use Amazon EC2, and I scripted up something which can
use the AWS APIs to grab the serial console from a recently installed
machine and grab the SSH host key fingerprints out of that.  This
provides an authenticated and tamper-proof path (provided that you trust
the EC2 infrastructure APIs and, if you don't trust them as much as you
do trust the SSH running in the VM, then I'd argue that you have a
broken trust/threat model).

In addition, we have a bastion host between the internal machines and
the Internet, so ssh-keyscan is not, AFAIK, applicable.

----------------------------8< cut here >8------------------------------
% ./ssh -v -H fplist  aws-cluster-foo-host-bar
[...]
debug1: Server host key: ECDSA 12:34:......................................:ef
debug1: Have a new ECDSA host key for aws-cluster-foo-host-bar and checking
fingerprint against fplist.
debug1: fingerprint matches line 3.
Warning: Permanently added 'aws-cluster-foo-host-bar' (ECDSA) to the
list of known hosts.
debug1: ssh_ecdsa_verify: signature correct
----------------------------8< cut here >8------------------------------

The file contained lines looking like:
----------------------------8< cut here >8------------------------------
  rsa 11:22:33:...................................:00 root at ip-10-0-0-1
  dsa ba:98:......................................:21 root at ip-10-0-0-1
  ecdsa 12:34:......................................:ef root at ip-10-0-0-1
----------------------------8< cut here >8------------------------------
(albeit with full fingerprints, obviously).

Constructive feedback appreciated, and any pointers to any contributor
docs that need legal signoff, or whatever.

Thanks,
-Phil

----- Original Message -----
> From: "Phil Pennock" <phil.pennock at globnix.org>
> To: openssh-unix-dev at mindrot.org
> Sent: Tuesday, 18 February, 2014 9:33:59 AM
> Subject: [PATCH] verify against known fingerprints
> 
> I've just written this patch, it's undergone minimal testing and
"works
> for me" and I'm after feedback as to acceptability of approach,
anything
> I should be doing differently for the feature to be acceptable upstream
> and what I should be doing about automated testing.
> 
> Use-case: you have the host's SSH fingerprints via an out-of-band
> mechanism which you trust and want to be able to connect and have
> verification use those known-good fingerprints and, if they match,
> update known_hosts.
Since you already have an out-of-band communication, why not provide
a pre-populated ~/.ssh/known_hosts file though it?

-- 
Regards,
Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic