SSH server fingerprint validation

[maertendMSFT]

We are looking to gauge interest in server fingerprint validation for SSH.

When first connecting to a machine the following dialog is shown:

The authenticity of host _______ can't be established.  
key fingerprint is ________
Are you sure you want to continue connecting (yes/no)?

By automatically validating the fingerprint, we can better defend against man-in-the-middle attacks. This functionality would be applicable for both Windows and Unix systems.

Please upvote or comment on this discussion if you are interested.

[jborean93]

I'm unsure what this discussion is about? Is it talking about different validation methods outside of the standard host key checks or talking about changing the existing implementation which sounds like what you've described?

[agowa]

Three scenarios:

1. Standalone system somewhere, use SSHFP (if possible with dnssec). If no dnssec is available only use it to detect a mismatch (and show an error if they don't match) but still show the warning, as we don't know if that information is trustworthy. If dnssec is valid and keys match also silence the above warning on first use. If dnssec is valid but keys don't match show an error.
2. System is part of the same (maybe also use trusts, but that doesn't translate that well to non-windows systems) LDAP(S), query the computer object of the remote system, and look into a (newly to be defined) attribute to validate that this is the correct SSH key. Similar to how a Microsoft active directory currently stores S/MIME certificates for users.
3. Part of the same Kerberos realm (or a trusted for cross-realm) => Rely on GSSAPI and (MIT-)Kerberos to validate the host instead of relying solely on the SSH key.

[Okeanos]

OpenSSH already has a mechanism besides fingerprints to verify user and host authenticity via certificates.

Are you looking to improve that/the user experience around this? There was even a recent discussion on Hackernews following the GitHub RSA rotation.