Reading Future Internet PKI schemes need to be bootstrapped through web PKI I was reminded by all the problems I’ve had with SSH (Secure SHell) PKI (Public Key Infrastructure). SSH host verification is trust-on-first-use (TOFU). So SSH is protected from man-in-the-middle (MITM) attacks unless the first connection falls prey to the attack.
There are many possible solutions. SSH host key fingerprints can be stored in DNS SSHFP records. DNS isn’t secured by default but can be using DNSSEC. But ssh(1) doesn’t know if the DNS lookup was secure or not.
SSH certificates can be used to sign host keys. This works if the certificates can be distributed to all users. But SSH certificates are seldom used because they are seen as complicated.
SSSD can fetch host keys from LDAP. This is a decent solution for larger organisations.
After all this, Chris’ suggestion of basing things on Web PKI sounds quite
viable. We probably need a standard for e.g., storing host keys in well-known
(RFC8615) paths. Like
I consider it important to not require query parameters (like
WebFinger (RFC7033)) so that a directory hierarchy of
static files is enough. Lookup could bubble up the domain components, like
This would not require changes in SSH, as
KnownHostsCommand. Some consideration should be given to minimize HTTP
requests, support certificates, allow extensibility etc.
It would not be a perfect solution, but it would be opt-in and it would lower the odds of MITM on first use.