4

When the key pair of an SSH server, that is, the keys at

/etc/ssh/ssh_host_(rsa|dsa|ecdsa|etc)_key

and at

/etc/ssh/ssh_host_(rsa|dsa|ecdsa|etc)_key.pub

are updated, the SSH users should be notified about the server's new public key.

Assuming having the email address as the public key comment for each user, is there a way to automatically notify every SSH user of the server key pair change?

Is there a tool that can do this or should I roll my own (shell|python|etc) script?

Utku
  • 145
  • 4
  • I think you need a secure way to publish the new key so that the receivers know that the key is genuine. An approach could be to pass the key the a user when he/she connects to the server as long as the old key is used. I don't know if this is implemented somewhere. A problem of the approach is that it only works if users actually connect to the server. – mm759 Feb 26 '17 at 12:32

2 Answers2

3

It could be interesting to note that your DNS server may include SSHFP records. This won't definitely answer your question, although it could be part of your solution:

Whenever your servers key pairs are changed, you could have some way of updating these DNS records (I do this using puppet). Although last I checked, client integration is still limited.

Community
  • 1
SYN
  • 1,751
  • 9
  • 14
0

Public keys are just that: public. If you publish the public key information in some alternative way (web page, o sending an email, as you propose), they are all valid. But ... the other peer could be suspicious about this change. There is a way to confirm that the e-mail you send is legitim? (maybe, if you use PGP). If you publish your public key in a "official" webpage, it means that public key is for real? (maybe, if your homepage, hasn't been hacked).

When a ssh client tries to connect when public key has changed, it knows about it. Maybe just sending an email with notification about key change is enough.

Roberto Paz
  • 171
  • 5