Re: Fixing exchange of host keys in the SSH key exchange
"denis bider \(Bitvise\)" <ietf-ssh3@denisbider.com> Thu, 06 April 2017 20:34 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E8B127871 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 6 Apr 2017 13:34:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.899
X-Spam-Level:
X-Spam-Status: No, score=-2.899 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXVphQ2IaYn5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 6 Apr 2017 13:34:23 -0700 (PDT)
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87387129489 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 6 Apr 2017 13:34:23 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 6988385647; Thu, 6 Apr 2017 20:34:22 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 1C74485645; Thu, 6 Apr 2017 20:34:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 327E0855BA for <ietf-ssh@netbsd.org>; Tue, 4 Apr 2017 07:27:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=denisbider.com
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id K00YLVbiKLCw for <ietf-ssh@netbsd.org>; Tue, 4 Apr 2017 07:27:37 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 9310C855AD for <ietf-ssh@netbsd.org>; Tue, 4 Apr 2017 07:27:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=denisbider.com; s=mail; h=from:subject:date:message-id:to:cc:mime-version:content-type:in-reply-to: references; bh=wzD+eD0auApPJSkReqRHbgkYdFv2Ixh5L+JJHJALZyU=; b=PXYKK8+Tjf3ARdP98UO3Bbfp3vxls4LI2/T5i1H75msAnW9ckeep+J+PIfEHDm41ySpB8KhsNgOnU SSZc3PkDaRM4sn4m6YR/rerRRQ62vSVGCnMUkme+eTaiIT+bcafBqECQrx7eZDsUeKzHXuzfzNJ4jf 9s4na5X3whmLByix0i5VRHj2dS/yPWkYHu9TfHJZD89dqOuWrQTxXtdWd/R7sXcxhHIyEAoqpZQFSg K4qUaAelZLRXyWrbeGzWq4yym5cCYdGVFP0vLIQWtwDuGMaDxnKNtOuMRImcO/o57AEJsl/puxgojq yi4MVoOeGLGVcKqdWLojhiqRe5Nu8og==
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com with ESMTPSA (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 4 Apr 2017 08:27:30 +0100
Message-ID: <05DC33124D144EC0B39A5BF58C8E3A33@Khan>
From: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>
To: "S.P.Zeidler" <spz@serpens.de>
Cc: ietf-ssh@netbsd.org, djm@mindrot.org, Simon Tatham <anakin@pobox.com>
References: <2216143EDEE342A3A5C9BB786F7FEF7A@Khan> <20170403200250.GB21972@serpens.de>
In-Reply-To: <20170403200250.GB21972@serpens.de>
Subject: Re: Fixing exchange of host keys in the SSH key exchange
Date: Tue, 04 Apr 2017 01:27:25 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0290_01D2ACE2.9D879320"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
OpenSSH documents this as a private extension: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L286 Our SSH Server and Client do not implement this mechanism at this time, but it’s something I would like us to support. denis From: S.P.Zeidler Sent: Monday, April 3, 2017 14:02 To: denis bider (Bitvise) Cc: ietf-ssh@netbsd.org ; djm@mindrot.org ; Simon Tatham Subject: Re: Fixing exchange of host keys in the SSH key exchange Hi, if I may stick an oar in sideways: if you go to all the trouble, could you add a mechanism by which the server could advise that the host key used by the client was still valid but deprecated, and to download the new host key once connected? Speaking as an admin of a bunch of servers whose users -do- ask when the host key changes, I currently feel a need for a better mechanism for updates to longer keys than "send mail". regards, spz -- spz@serpens.de (S.P.Zeidler)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Fixing exchange of host keys in the SSH key excha… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Peter Gutmann
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Implementation-hazards list [was Re: Fixing excha… Mouse
- Re: Fixing exchange of host keys in the SSH key e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Implementation-hazards list [was Re: Fixing e… Peter Gutmann
- Re: Implementation-hazards list [was Re: Fixing e… Darren Tucker
- Re: Implementation-hazards list [was Re: Fixing e… Mouse
- Re: Implementation-hazards list [was Re: Fixing e… denis bider (Bitvise)
- Re: Implementation-hazards list [was Re: Fixing e… Mouse
- Re: Fixing exchange of host keys in the SSH key e… S.P.Zeidler
- Re: Fixing exchange of host keys in the SSH key e… denis bider (Bitvise)
- Re: Fixing exchange of host keys in the SSH key e… Mouse