Record and expose SSH host keys
Bug #1491057 reported by
Adam Collard
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Undecided
|
Unassigned |
Bug Description
It would be great if MAAS could assist me in identifying MITM attacks by allowing me to preseed my SSH known_hosts file with keys from the nodes that MAAS has deployed (and commissioned?).
Maybe through the use of ssh-keyscan or similar?
Changed in maas: | |
milestone: | none → 1.9.0 |
importance: | Undecided → Wishlist |
status: | New → Triaged |
Changed in maas: | |
milestone: | 1.9.0 → 2.0.0 |
Changed in maas: | |
status: | Invalid → New |
Changed in maas: | |
status: | New → Triaged |
milestone: | 2.0.0 → next |
importance: | Wishlist → Undecided |
summary: |
- Record and expose SSH host keys + [feature] Record and expose SSH host keys |
Changed in maas: | |
milestone: | next → none |
Changed in maas: | |
assignee: | nobody → Adam Collard (adam-collard) |
To post a comment you must log in.
If an active man-in-the-middle attack is already taking place, ssh-keyscan as an end-user won't provide protection.
What you would expect is that, after a node is deployed, its host key won't change for the life of that deployment. The most useful thing I can think to do with ssh-keyscan is to invoke it (from its attached cluster), so we eliminate the risk of network layer attacks, and limit the attack surface to ARP/neighbor discovery poisoning (which could be prevented, to some extent, with managed switch features).
We could then make the expected public key available via the MAAS API, and then a script could be used to update a users' known_hosts file.
This isn't a seamless user experience, though, and we all know how rarely users actually check host keys. Will they bother to find out about the script and run it, to update their known_hosts?
A more user-friendly (albeit much more potentially dangerous) option would be for MAAS to escrow the key, and have curtin redeploy the same private host key to the node in subsequent deployments.
But how would we do that in a secure way? We don't want the MAAS database to contain private keys for the deployed node. That's a man-in-the-middle attack waiting to happen. I see a few options here:
- Change curtin to shuffle data around on disk so that the private host keys are preserved from a previous deployment
- Store the host keys inside some kind of hardware-specific NVRAM on the node (a hardware security device such as a TPM may be possible, but these devices have limited RAM and are more suited to holding keys - but it's not clear that the TPM state will survive a redeployment.)
- Derive a key using information known only to the node, such as a value computed by a TPM, (or some other information not available in the MAAS database) - plus, possibly, a password entered by the user, or a random salt - to encrypt the private host key, and have MAAS escrow that.
All this sounds like a lot of trouble/risk for not much gain, so I'd suggest going with the simpler option of having the MAAS clusterd query nodes for their new public keys, and make that information available.
But I still think there may be some value in an escrow mechanism, just due to the fact that typical users are so negligent about SSH public key checking. Effectively, it may be more secure overall if the host key never changes. Assuming the MitM isn't already in progress. ;-)