A mechanism to verify SSH keys.

risris Member
edited October 2016 in Feature Request/Bug Report
Hello,
It would be great if there is a mechanism to verify SSH keys through Time4VPS interface so that we can make sure that it's the right server we are connecting to, whdn connecting to it from a client first time. This can be done by running
ssh-keyscan [IPADDR]
from a trusted Time4VPS endpoint and returning the value. Please add this feature like what you have for rebooting servers, etc. - it means a lot in terms of security (preventing MITM attacks over SSH, etc. as SSH, by design, does not have any such mechanism for pre-mediated third party based key verification)
https://www.giac.org/paper/gsec/2034/conducting-ssh-man-middle-attacks-sshmitm/103515
Tagged:

Comments

  • Hi, thank you for the suggestion. We are taking it into account and will try our best to implement it as soon as possible.
  • This problem is actually intended to be solved by SSH Fingerprint (SSHFP) in the DNS system combined with the usage of VerifyHostKeyDNS in the SSH client configuration.

    I'd imagine using public key authentication also can help verify remote hosts since the remote host has to already have a copy of the public key matched to your private key to even begin negotiating the ssh session
  • risris Member
    edited October 2016
    andreweb: Well, SSHFP in the DNS does not solve this issue as it has to be configured in the first place using some blindly trusted keys. What is the first connection itself cannot be trusted to configure these in the first place? We don't know the key, we can't do it from our side. Of course, pretty much all our servers have a domain name (automatically given by Time4VPS, domain.time4vps.eu).
    VerifyHostKeyDNS can only help when the domain.t4vps.eu is already configured with DNSSEC AND the DNS entry is already updated automatically from Time4VPS side. This is much more complicated than running ssh-keyscan [domain] on request using some automatic interface.
Sign In or Register to comment.