SSH PKI on top of Web PKI

· 246 words · 2 minute read

Reading Future Internet PKI schemes need to be bootstrapped through web PKI I was reminded by all the problems I’ve had with SSH (Secure SHell) PKI (Public Key Infrastructure). SSH host verification is trust-on-first-use (TOFU). So SSH is protected from man-in-the-middle (MITM) attacks unless the first connection falls prey to the attack.

There are many possible solutions. SSH host key fingerprints can be stored in DNS SSHFP records. DNS isn’t secured by default but can be using DNSSEC. But ssh(1) doesn’t know if the DNS lookup was secure or not.

SSH certificates can be used to sign host keys. This works if the certificates can be distributed to all users. But SSH certificates are seldom used because they are seen as complicated.

SSSD can fetch host keys from LDAP. This is a decent solution for larger organisations.

After all this, Chris’ suggestion of basing things on Web PKI sounds quite viable. We probably need a standard for e.g., storing host keys in well-known (RFC8615) paths. Like https://host.domain.tld/.well-known/ssh/host.domain.tld. I consider it important to not require query parameters (like WebFinger (RFC7033)) so that a directory hierarchy of static files is enough. Lookup could bubble up the domain components, like https://domain.tld/.well-known/ssh/host.domain.tld.

This would not require changes in SSH, as ssh_config supports KnownHostsCommand. Some consideration should be given to minimize HTTP requests, support certificates, allow extensibility etc.

It would not be a perfect solution, but it would be opt-in and it would lower the odds of MITM on first use.