On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote:> Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la > > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix > > done > > , and it mightn't be that much of a niche anymore ...And that's when you look at using certificate based host keys. -- rgds Stephen
On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists at spuddy.org> wrote:> > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > > Imagine sysadminning a boatload of VMs getting IPs from a dynamic pool, a la > > > > $ for ADDR in $CUSTOMER_1_RANGE $CUSTOMER_2_RANGE... ; do > > > ping -c 1 -w 2 $ADDR >/dev/null 2>&1 && ssh root@$ADDR do_urgent_fix > > > done > > > > , and it mightn't be that much of a niche anymore ... > > And that's when you look at using certificate based host keys.And it fails miserably as soon as any of the intervening firewalls block ICMP, such as, say, the security group settings for an AWS deployed virtual host. You need to check with port 22 on TCP, not ICMP packets. This sort of thing is also why a casually assembled "doodz, just do this thing!!!" breaks down in the larger world.
On 15/03/19, Nico Kadel-Garcia (nkadel at gmail.com) wrote:> On Fri, Mar 15, 2019 at 6:40 AM Stephen Harris <lists at spuddy.org> wrote: > > On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > > And that's when you look at using certificate based host keys. > > And it fails miserably as soon as any of the intervening firewalls > block ICMP, such as, say, the security group settings for an AWS > deployed virtual host. You need to check with port 22 on TCP, not ICMP > packets. This sort of thing is also why a casually assembled "doodz, > just do this thing!!!" breaks down in the larger world.Hi Nico Referencing back to the OP's question:> > On 14/03/19, Jeremy Lin (jeremy.lin at gmail.com) wrote: > > > As far as I can tell, there currently isn't a straightforward way to > > > use password authentication for connecting to hosts where the host key > > > changes frequently.Is there an issue with using certificate based host keys, as Jochen suggests, that means they can't easily be used for auto-generated instances? According to the RedHat docs: "To authenticate a host to a user, a public key must be generated on the host, passed to the CA server, signed by the CA, and then passed back to be stored on the host to present to a user attempting to log into the host." https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-signing_ssh_certificates The process of picking up the auto-generated host file ssh_host_rsa_key.pub to the CA machine, signing the host file, copying the resulting certificate back to the host, adding the line "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub" or alternative in the host /etc/ssh/sshd_config file and restarting sshd can all be automated. If all users have received the CA public host key and have added it with the requisite @cert-authority preamble to their ~/.ssh/known_hosts file, the host warning Jeremy was complaining about would not occur. Or am I missing something obvious? Thanks Rory
On 17/03/19, Jochen Bern (Jochen.Bern at binect.de) wrote:> On 03/16/2019 07:34 PM, Rory Campbell-Lange wrote: > >>> On Fri, Mar 15, 2019 at 09:10:26AM +0000, Jochen Bern wrote: > >>> And that's when you look at using certificate based host keys. > [...] > > Is there an issue with using certificate based host keys, as Jochen > > suggests > > (FWIW, that actually was Stephen Harris <lists at spuddy.org>, as in, the > *other* guy you Cc:ed. I'm afraid that my employer could not, so far, be > interested in using SSH certificates, in spite of clear use cases, so my > experience with them is pretty much nil. :-/ )Sorry about the quoting mistake. If you do look at certificates in future, there is a couple of cool projects on github for using a certificate authority for the client authorisation part. Although I haven't tried it, ssh-cert-authority looks quite good https://github.com/cloudtools/ssh-cert-authority Uber's pam-ussh is another possibility, but I haven't tried that either. Perhaps a certificate authority can become part of the openssh suite in future too? Rory