Stop MitM on the first SSH connection, on any VPS or cloud provider

Posted by JoachimSchipper 3 days ago

Stop MitM on the first SSH connection, on any VPS or cloud provider(www.joachimschipper.nl)

122 points | 67 commentspage 2

crypt0r84 18 hours ago|

provision the hosts with an SSH CA, use the CA as a trust root in openssh. they are various version out there from the big players.

zuzululu 17 hours ago||

but how real is this threat? you buy a box from hetzner or some VPS provider and its rooted when you try to ssh ?

tptacek 13 hours ago||

If you don't assume the network between you and Hetzner is compromised, you might as well just use rsh instead of ssh.

tabwidth 14 hours ago|||

The box itself is probably fine. It's the path between you and it. In shared infrastructure one compromised hop somewhere upstream is enough and now you're SSHing into the wrong thing without realizing it.

projektfu 16 hours ago||

You get a box and someone is sitting on its IP address (in the middle), proxying to the real one, so everything is getting logged. Other comments say that this mitm stops working when you use public key authentication.

cesarb 15 hours ago||

> Other comments say that this mitm stops working when you use public key authentication.

It doesn't completely stop working; a MITM can still pretend to be the server, it just can't authenticate to the real server on your behalf. You could be doing all your work in a fake server controlled by the attacker, while the real server sits there untouched.

projektfu 15 hours ago||

If that were the case then I don't think the OP approach works either.

mjmas 7 hours ago||

It does note that it only protects against an attacker "who learns the cloud-init user-data at any point after the script terminates".

If the attacker can get the cloud-init user-data while the script is still running (in the time between sending the cloud-config.yaml and connecting with SSH to the machine) that would still allow MitM, but would require more effort on the attacker's part to leak the cloud-init data.

The point of the script was that leaking the cloud-init data after the script has completed is harmless.

projektfu 2 hours ago||

Yes, I'm just saying if you think you've set up a server with Hetzner, but Smersh is able to intercept your first interaction with it and present you a server that you think is the one you created, then it doesn't matter how much you try to harden the compromised server. But if you get MITM later in the the process, the above is the scenario you are worried about.

TacticalCoder 14 hours ago||

> inject a temporary SSH host (private) key via cloud-init...

Reading the comments here I'm tempted to believe that if cloud-init is available and if we consider Heztner (and OVH etc.) provides a secure access to cloud-init (i.e. the box running cloud-init is really the box you think it is), then there are many different ways to solve this problem.

jmholla 10 hours ago|

I've been thinking of setting up a simple server that publishes the public keys at a known endpoints. You point an A record for one of your subdomains at the machine and it can provision a TLS cert. Then you can be reasonably confident your connection hasn't been MitM (assuming your trust your cert provider) when you query for those public keys.

The one presented in the article has fewer moving parts though. I'm also curious what ideas are bouncing around your head if you're willing to share.

burnt-resistor 9 hours ago||

I guess they don't teach public key-enabled SPA secure port knocking anymore to defend ports of jumpboxes. And using jumpboxes and an internal vlan rather than putting control ports on the wild internet, right?

riffic 16 hours ago||

zero touch prod might be something folks should keep as a north star - SSH should be break glass and a last resort if possible.

https://www.usenix.org/conference/srecon19emea/presentation/...

skydhash 19 hours ago||

> The technique appears to be new: I haven't found a proper write-up of this, nor of any other provider-independent solution (but I'd welcome a correction).

To be frank, anyone that serious about security would probably log in via console, generate and retrieve the host key that way. And then any client would have strict verification enabled.

It's kinda the 101 of communication using public keys cryptography. You have to get hold of the public key in a secure manner first (direct contact or attestation by a third party).

Section 3.1 in Bruce Scheiner's Applied Cryptography discuss how to automatically solves MITM. But that's only important for M:N communications (TSL). For 1:1 communications where you can have secure exchange before hand, no need to go that far.

dboreham 12 hours ago|

Attacker might have MITMed the console.

isaisabella 8 hours ago||

[dead]

PunchyHamster 17 hours ago|

Seems like way easier way would be sshing for the first time and just typing `sudo reboot`. If VM reboots, it is yours

Or cat-ing some secrets that would be on target machine but not attacker

kardos 8 hours ago|

A mitm does not redirect your ssh login to their machine