LWN: Comments on "OpenSSH 8.5 released"

My use case: one hundred systems with the same ssh host key

emmi3 — Mon, 08 Mar 2021 17:13:10 +0000

I have the following setup: nearly one hundred thin clients for home office use ("Telearbeit" / tele work) running from the same live linux image.

The (cutomized) images are built using live-build form debian-live. Normally live-build would delete the ssh host key during build time and live-config would create a new ssh host key on every startup. This was undesirable since ssh would complain about the changed host key after every reboot of the thin client. Therefore I baked one predefined host key directly into the image.

The thin clients are connected to our university environment via wireguard using a 10-something private subnet. Thus we have nearly one hundred different physical hosts (with different but fixed IPs and hostnames) using the same ssh host key.

I don't see anything wrong with this setup and I think this is a valid use case. If my ssh client starts complaining about all those hosts having the same host key, I will have to start creating separate keys for every client and distributing them like I do with the wireguard preshared keys and other client specific data right now. No big deal, but I don't really see any benefit from this.

OpenSSH 8.5 released

josh — Mon, 08 Mar 2021 00:22:51 +0000

Cloud providers don't typically do this in their DHCP servers. (And I think it makes sense that they don't, for a variety of reasons, not least of which that it's better to show people very quickly that IPs will change, rather than let them experience breakage later on.)

OpenSSH 8.5 released

Cyberax — Sun, 07 Mar 2021 15:12:23 +0000

> Then you'll have a lot less of this happening, as each VM will end up using the same address virtually all the time.
Then you'll run out of addresses, since VMs are disposable and each new VM gets a new MAC.

OpenSSH 8.5 released

vadim — Sun, 07 Mar 2021 12:21:04 +0000

You can configure a DHCP server to hand out leases for a long time, like a month or even a year.

Then you'll have a lot less of this happening, as each VM will end up using the same address virtually all the time.

OpenSSH 8.5 released

josh — Thu, 04 Mar 2021 22:06:43 +0000

Virtual machine instances that are regularly shut down and brought back up, and don't have or need a static IP. Start instance, get IP for instance, SSH to instance, work with instance, shut down instance.

OpenSSH 8.5 released

Cyberax — Thu, 04 Mar 2021 22:06:22 +0000

Uh, the hosts will have different keys but the same IP. So you get the dreaded "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED" message from SSH each time you try to connect.

OpenSSH 8.5 released

nye — Thu, 04 Mar 2021 17:43:21 +0000

Now I'm *really* curious. What's the application here? No worries if it's something you can't/don't want to go into.

OpenSSH 8.5 released

josh — Thu, 04 Mar 2021 16:16:54 +0000

Same virtual machine, same host key, no hostname, different IPs.

OpenSSH 8.5 released

nye — Thu, 04 Mar 2021 12:21:42 +0000

Well unless those hosts are reusing the same host key then there won't be any "other host names/addresses already associated with the key", so you can't end up with a list containing hundreds of entries.

(And if they *are* reusing the same key, then you still won't end up with such a list unless you connect via a new throwaway DNS name for each one instead of using a fixed hostname or the unchanging IP address.)

OpenSSH 8.5 released

Cyberax — Thu, 04 Mar 2021 11:37:32 +0000

No, reusing the same IP for different throwaway hosts.

OpenSSH 8.5 released

nye — Thu, 04 Mar 2021 11:33:11 +0000

As in you're re-using the same host key on hundreds of machines, or you're connecting to the same machine via hundreds of aliases? Both of these seem like pretty niche use cases that I'd only expect to see in some kind of automated environment (probably involving throwaway test systems in the first case, given the risk involved in reusing a key).

OpenSSH 8.5 released

johill — Thu, 04 Mar 2021 10:36:39 +0000

I think they meant *host* key, not *client* key, here? At least that's how I read it? Hmm, maybe not?

OpenSSH 8.5 released

josh — Thu, 04 Mar 2021 07:11:57 +0000

I'd expect the common case for me to be in the hundreds. That doesn't seem unreasonable, depending on how it's presented.

OpenSSH 8.5 released

djm — Thu, 04 Mar 2021 01:03:20 +0000

> And this one, though it could produce a massive amount of output in some cases.

yeah, if this turns out to be a problem in practice then let us know and we'll add a limit.

OpenSSH 8.5 released

unixbhaskar — Wed, 03 Mar 2021 23:12:00 +0000

> * ssh(1): when prompting the user to accept a new hostkey, display
> any other host names/addresses already associated with the key.

This one would be really interesting!

OpenSSH 8.5 released

josh — Wed, 03 Mar 2021 18:13:13 +0000

> * ssh(1): disable CheckHostIP by default. It provides insignificant
> benefits while making key rotation significantly more difficult,
> especially for hosts behind IP-based load-balancers.

I'm excited to see this change.

> * ssh(1): when prompting the user to accept a new hostkey, display
> any other host names/addresses already associated with the key.

And this one, though it could produce a massive amount of output in some cases.