ssh connection - remote host identification has changed

Hi all,
I have a problem regarding ssh connection with **strict host key
checking** enabled.

Normally, if the warning appears I would just delete the key from my
known_hosts file and accept the new server (after checking that there is
no spoofing) again. Done manually, this is no problem. But, I need a
sftp connection from an automated client, and would need to accept the
server automatically.

The problem is now, that I do not know if the server has simply be
reloaded on another instance (with a different fingerprint), or someone
is spoofing the computer?

Should I just turn strict host key checking off on my client, since the
sftp server contains solely data to be downloaded and processed?

Or, is there another idea how to solve it?

(We use a server infrastructure that changes servers all the time, this
means, they get replaced by another machine and restarted randomly with
the same services and configuration -- AWS-EB)

Cheers,
Peter

Peter Moser wrote:

The problem is now, that I do not know if the server has simply be reloaded
on another instance (with a different fingerprint), or someone is spoofing
the computer?

Should I just turn strict host key checking off on my client, since the
sftp server contains solely data to be downloaded and processed?

The question is, is it important to know if you are downloading the data
from a certain host?
If that is the case, then keep StrictHostKeyChecking on and fail as
noisily as possible to prompt manual intervention (depending on the
frequency of re-installations)
If not, then you need to validate the data (or its origin) somehow,
and security and automation will always be in conflict to some extent.

Or, is there another idea how to solve it?

Depends on your security needs, really. Some that come to mind:

- when redeploying the AWS (via chef/puppet/ansible/cms-of-the-day, I
  presume) then install a well-known SSH key for the host, rather than
  have it autogenerated by sshd on the first start.
- store the fingerprint in the SSHFP DNS record and experiment with the
  VerifyHostKeyDNS option (brittle and overkill, IMHO, but might work
  for you).
- download over HTTPS, if you don't care about host authentication.
- download over HTTPS + X.509 if you do care about host and user
  authentication.
- separate download and authentication: download from cani-e-porci.com
  but process the data only if it was correctly signed by a well-known
  PGP key, for example.

HTH,
Thomas

Should I just turn strict host key checking off on my client, since the
sftp server contains solely data to be downloaded and processed?

No. :slight_smile:

Or, is there another idea how to solve it?

SSH supports a Certification Authority approach for both host keys and
user keys, this way:
- a user trusting the CA "xyz" will not complain if the host_keys are
unknown as long as they are signed by the trusted CA (even on first
connection)
- a host trusting the CA "xyz" will not complain if the user keys are
unknown as long as they are signed by the trusted CA (even on first
connection)

A quick duck-duck-go search for "ssh key CA" finds relevant results for
me.

Ciao,
Daniele

Daniele wrote:

SSH supports a Certification Authority approach for both host keys and user
keys, this way:

I've tried this recently, and it works like a charm! Thanks for the
hint.

Thomas

PS:
Sorry for unearthing this long-deceased thread.

Hallo,

gibt es Ubuntu Touch/Ubports Benutzer auf der Liste?

--k