5

(note: this seems similar to an existing question, but I believe there are some differences in the implementation details here)

The Problem

I've got a few hundred hosts behind a single DNS address. Each host has its own separate host key (and I can't change it - it's set by the vendor and must not be modified).

When I try connecting to any of the hosts via the single name a second time, this understandably makes ssh very upset:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The DSA host key for (hostname) has changed,
and the key for the corresponding IP address 192.168.0.100
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:+38sJSsANknk6vVIHJ/l/xnPCl+ALCNrbi80vrr24cM.
Please contact your system administrator.
Add correct host key in /Users/me/.ssh/known_hosts to get rid of this message.
Offending DSA key in /Users/me/.ssh/known_hosts:291
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password,keyboard-interactive).

The difficulty

  • I can't set all the host keys to the same thing.
  • Connecting to a single IP address is not a good workaround, since this isn't an actual "round robin", rather its a DNS service provided by the hardware that routes the connection to the least busy server.
  • My users, as well as some automated processes, must be able to hit the single DNS name.

The question

What would be the best practices for this environment to use SSH securely (that is, with as much verification intact as possible)?

I don't want to disable key verification for security reasons, and the obvious workaround of connecting to a single IP address circumvents the load balancing provided by the vendor's DNS implementation.

Karu
  • 4,922

1 Answers1

4

You can pre-generate known_hosts for all your IP's using ssh-keyscan. Then set it on users systems as GlobalKnownHostsFile (readonly) and for that specific hostname disable UserKnownHostsFile (set to /dev/null).

I didn't try it, but it should be satisfied with IP and if it will not be able to write known_hosts record with hostname.

Example client /etc/ssh/ssh_config (also good to distribute):

[...] # other stuff
Host dns_hostname
  GlobalKnownHostsFile /etc/ssh/known_hosts
  UserKnownHostsFile /dev/null
Jakuje
  • 10,827