StrictHostKeyChecking=no #5029

jonaseberle · 2023-06-27T08:34:41Z

jonaseberle
Jun 27, 2023

Hi,

I'd like to discuss the current default SSH client config StrictHostKeyChecking=no.

For outgoing connections that removes a layer of protection against MITM.
We use DDEV for parts of our deployment pipeline and were adding .ddev/homeadditions/.ssh/config (with StrictHostKeyChecking=yes or since OpenSSH 7.6 StrictHostKeyChecking=accept-new) in some projects (but not in all which raised some security question...). I like to keep things easy but I agree with the security folks that this is unexpected for SSH users.

I would suggest to use accept-new by default which would require the user to deal with it if the host key really changed (clear the line from /home/.ssh-agent/known_hosts) but would not get in the way while host keys are not changing.

What do you think?

man ssh_config:

StrictHostKeyChecking
  If this flag is set to yes, ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to
  hosts whose host key has changed.  This provides maximum protection against man-in-the-middle (MITM) attacks, though it can be annoying
  when the /etc/ssh/ssh_known_hosts file is poorly maintained or when connections to new hosts are frequently made.  This option forces
  the user to manually add all new hosts.

  If this flag is set to accept-new then ssh will automatically add new host keys to the user's known_hosts file, but will not permit con‐
  nections to hosts with changed host keys.  If this flag is set to no or off, ssh will automatically add new host keys to the user known
  hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions.  If this flag is set to ask
  (the default), new host keys will be added to the user known host files only after the user has confirmed that is what they really want
  to do, and ssh will refuse to connect to hosts whose host key has changed.  The host keys of known hosts will be verified automatically
  in all cases.

Relates: #1266

rfay · 2023-06-27T13:16:03Z

rfay
Jun 27, 2023
Maintainer

I think I'd be fine with this. However, since the known_hosts does not normally persist, it's not that relevant, and everything should work out fine.

If accept-new is in current ssh config, this will be fine, a PR is welcome, happy to help with it.

0 replies

jonaseberle · 2023-07-07T21:25:50Z

jonaseberle
Jul 7, 2023
Author

We've seen it being persisted in a project where we had that enabled with a custom SSH config. So it might produce some support tickets where the host key actually changed. Yet OpenSSH is actually very helpful in its warning message in that case.
I'll open a PR.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DDEV

StrictHostKeyChecking=no #5029

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

DDEV

StrictHostKeyChecking=no #5029

Uh oh!

Uh oh!

jonaseberle Jun 27, 2023

Replies: 2 comments

Uh oh!

rfay Jun 27, 2023 Maintainer

Uh oh!

jonaseberle Jul 7, 2023 Author

jonaseberle
Jun 27, 2023

rfay
Jun 27, 2023
Maintainer

jonaseberle
Jul 7, 2023
Author