4

Let's say my organization has a domain example.com and a server running a recent version of Ubuntu with the name myserver.example.com. Let's also say I'm on a Windows machine able to reach the server on port 22. I want to use putty to ssh to this server.

The first time I connect I'll see a warning message like this:

putty message: the host key is not cached for this server

From here I can either connect once and continue to see the error in the future, accept the host key so it will be trusted in the future, or cancel, since I can't validate the identity of the server for certain.

Now let's say I also have a wildcard certificate for *.example.com issued by a major publicly-trusted CA such as DigiCert, Comodo, GlobalSign, etc, and with myserver.example.com in the subject alternative name (SAN) list.

How could I go about installing the certificate to the server so it is used for the ssh connection signature (not user authentication — that will be separate!) and trusted by the client computer, so this warning does not display? What attributes need to be included with the certificate that might not be included out of the box?

Improve this question
1
  • 2
    Note that you don't "accept the certificate", because it isn't a certificate. It's just a public key, it isn't signed by anybody else, and doesn't assert an identity other that the ID of the key.
    – jcaron
    Commented 8 hours ago

3 Answers 3

Reset to default
8

It seems you desire a PKI for SSH:

How could I go about installing the certificate to the server so it is used for the initial ssh connection (not user authentication — that will be separate!) and trusted by the client computer, so this warning does not display?

The problem is that OpenSSH can't use X.509 PKI. RFC 6187 declares the way to support that, but stock OpenSSH doesn't implement it. There exist unofficial builds by Roumen Petrov that include such support, and these can actually use X.509 certificates.

Instead, OpenSSH defines its own ad-hoc form of PKI, see man ssh-keygen for details.

My most "magical" experience with this, however, was DNSSEC as a PKI and SSHFP DNS RRs to publish keys. In that case conforming clients will not ask this, exactly as you want. PuTTY doesn't support it; built-in OpenSSH client feature of Windows does though (since Windows 10 and Windows Server 2016, AFAIK). But, as @dave_thompson_085 mentioned in their comment, good luck setting it up with Windows workstation; I've never tried it, my workstations are all Linux.

In a practical sense, the most affordable and easy way is to distribute host keys and/or SSH PKI's signing key to clients using configuration management system like Ansible.

Improve this answer
2
  • 1
    I see myself in the near future putting together a .reg file with keys for each well-known host in our environment and pushing that out, so that the appearance of the dialog box in my question can be cause for concern instead almost normal and something that might tend to be rubber-stamped.
    – Joel Coel
    Commented 4 hours ago
  • I feel it's worth pointing out that for many years I used SSHFP records in DNSSEC-secured DNS zones and, while it worked well, I eventually found that the maintenance overhead was not worth it and it was easier simply to distribute via other means known_hosts files with the host public keys.
    – cjs
    Commented 46 mins ago
5

I see one indirect way of not-too-manually bootstrapping from an HTTPS cert to PuTTY:

  1. have your webserver serve (over HTTPS) the host's SSH public key(s). The simple way is to copy either the .pub file(s) or just the blob value(s) from /etc/ssh to some appropriate place in your web data. Depending on your server and config it may be possible to have the server access the /etc/ssh file directly, but doing this without sufficient care may create vulnerabilities that allow important secret data to be leaked, and I wouldn't take the chance.

  2. use any HTTPS tool on your client to verifiably download that .pub value(s) -- recent Windows has curl standard, practically any Windows has PowerShell Invoke-Webrequest or vbscript XMLHTTP.

  3. run putty (at least once) with -hostkey x containing the desired publickey blob, or run plink -batch -hostkey x and a dummy command which should update the registry similarly

Improve this answer
3

You can't. Ssh does not use TLS. The default security model is trust on first use.

What you can do is publish the key.

Improve this answer
4
  • 1
    Bummer. I know ssh is not TLS, but certificates are used for a number of other things beyond tls and I was hoping there was some "extended key usage" attribute or similar I could configure that would let sshd use the cert and let a client validate the cert as authentic for the expected name.
    – Joel Coel
    Commented yesterday
  • OpenSSH (including the port of OpenSSH available on currently supported WIndows i.e. 10 or 11) supports SSHFP, but PuTTY suite does not. Plus SSHFP is only actually secure if DNSSEC is used, which Windows workstation does not by itself, so it depends on whether you use a recursor that does and that you communicate with untamperably, for example a physically protected LAN with no WiFi.
    – dave_thompson_085
    Commented 17 hours ago
  • This is wrong. A common security model used with SSH is trust-with-first-use, but it's not terribly difficult to distribute host public keys out-of-band in a fairly secure way (certainly more secure than trust-on-first use!) and surely there are people other than me that do this.
    – cjs
    Commented 43 mins ago
  • Yes, I even link to methods for publishing the keys out of band.
    – vidarlo
    Commented 42 mins ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .