[openstack-dev] Supporting SSH host certificates

Clint Byrum clint at fewbar.com
Fri Oct 6 07:37:42 UTC 2017


A long time ago, a few Canonical employees (Scott Moser was one of them,
forget who else was doing it, maybe Dave Walker and/or Dustin Kirkland)
worked out a scheme for general usage that doesn't require extra plumbing:

 * Client generates a small SSH host key locally and pushes it into
   user data in a way which causes the image to boot and install this
   key from user_data as the host SSH key.
 * Client SSH's in with the strict requirement that the host key be the
   one they just generated and pushed into the instance.
 * Client now triggers new host key generation, and copies new public
   key into client known_hosts.

With this system you don't have to scrape console logs for SSH keys or
build your system on hope.

Excerpts from Giuseppe de Candia's message of 2017-09-29 14:21:06 -0500:
> Hi Folks,
> 
> 
> 
> My intent in this e-mail is to solicit advice for how to inject SSH host
> certificates into VM instances, with minimal or no burden on users.
> 
> 
> 
> Background (skip if you're already familiar with SSH certificates): without
> host certificates, when clients ssh to a host for the first time (or after
> the host has been re-installed), they have to hope that there's no man in
> the middle and that the public key being presented actually belongs to the
> host they're trying to reach. The host's public key is stored in the
> client's known_hosts file. SSH host certicates eliminate the possibility of
> Man-in-the-Middle attack: a Certificate Authority public key is distributed
> to clients (and written to their known_hosts file with a special syntax and
> options); the host public key is signed by the CA, generating an SSH
> certificate that contains the hostname and validity period (among other
> things). When negotiating the ssh connection, the host presents its SSH
> host certificate and the client verifies that it was signed by the CA.
> 
> 
> 
> How to support SSH host certificates in OpenStack?
> 
> 
> 
> First, let's consider doing it by hand, instance by instance. The only
> solution I can think of is to VNC to the instance, copy the public key to
> my CA server, sign it, and then write the certificate back into the host
> (again via VNC). I cannot ssh without risking a MITM attack. What about
> using Nova user-data? User-data is exposed via the metadata service.
> Metadata is queried via http (reply transmitted in the clear, susceptible
> to snooping), and any compute node can query for any instance's
> meta-data/user-data.
> 
> 
> 
> At this point I have to admit I'm ignorant of details of cloud-init. I know
> cloud-init allows specifying SSH private keys (both for users and for SSH
> service). I have not yet studied how such information is securely injected
> into an instance. I assume it should only be made available via ConfigDrive
> rather than metadata-service (again, that service transmits in the clear).
> 
> 
> 
> What about providing SSH host certificates as a service in OpenStack? Let's
> keep out of scope issues around choosing and storing the CA keys, but the
> CA key is per project. What design supports setting up the SSH host
> certificate automatically for every VM instance?
> 
> 
> 
> I have looked at Vendor Data and I don't see a way to use that, mainly
> because 1) it doesn't take parameters, so you can't pass the public key
> out; and 2) it's queried over http, not https.
> 
> 
> 
> Just as a feasibility argument, one solution would be to modify Nova
> compute instance boot code. Nova compute can securely query a CA service
> asking for a triplet (private key, public key, SSH certificate) for the
> specific hostname. It can then inject the triplet using ConfigDrive. I
> believe this securely gets the private key into the instance.
> 
> 
> 
> I cannot figure out how to get the equivalent functionality without
> modifying Nova compute and the boot process. Every solution I can think of
> risks either exposing the private key or vulnerability to a MITM attack
> during the signing process.
> 
> 
> 
> Your help is appreciated.
> 
> 
> 
> --Pino



More information about the OpenStack-dev mailing list