A mechanism to verify SSH keys.

ris

Hello,
It would be great if there is a mechanism to verify SSH keys through Time4VPS interface so that we can make sure that it's the right server we are connecting to, whdn connecting to it from a client first time. This can be done by running
ssh-keyscan [IPADDR]
from a trusted Time4VPS endpoint and returning the value. Please add this feature like what you have for rebooting servers, etc. - it means a lot in terms of security (preventing MITM attacks over SSH, etc. as SSH, by design, does not have any such mechanism for pre-mediated third party based key verification)
https://www.giac.org/paper/gsec/2034/conducting-ssh-man-middle-attacks-sshmitm/103515

Lawrence

Hi, thank you for the suggestion. We are taking it into account and will try our best to implement it as soon as possible.

andrewb

This problem is actually intended to be solved by SSH Fingerprint (SSHFP) in the DNS system combined with the usage of VerifyHostKeyDNS in the SSH client configuration.

I'd imagine using public key authentication also can help verify remote hosts since the remote host has to already have a copy of the public key matched to your private key to even begin negotiating the ssh session

ris

andreweb: Well, SSHFP in the DNS does not solve this issue as it has to be configured in the first place using some blindly trusted keys. What is the first connection itself cannot be trusted to configure these in the first place? We don't know the key, we can't do it from our side. Of course, pretty much all our servers have a domain name (automatically given by Time4VPS, domain.time4vps.com).
VerifyHostKeyDNS can only help when the domain.t4vps.com is already configured with DNSSEC AND the DNS entry is already updated automatically from Time4VPS side. This is much more complicated than running ssh-keyscan [domain] on request using some automatic interface.