0

validating virtual machine host automatically with fingerprint and something else

I've been researching various methods to validate a remote ssh server (virtual machine) automatically and remotely. They all seem to have the same conclusion...namely that the host key needs to be verified through some sort of a secure channel (offline, through a control panel over TLS, or whatever).

Since most cloud vendors seem to provide an API mechanism for executing code during VM setup (thereby transmitted via TLS for example), would it be an improvement to security to have the cloud vendor write a UUID or some other long randomized key or string to the file system which I could check after authenticating with a key pair?

Does this add any value, or is it just obfuscation? Does anything change if I were to not use DNS hostnames at all?

My main goal is to avoid the maintenance of infrastructure...is this type of thing even possible then?

Brian
  • 181
  • 1
  • 11

1 Answers1

2

I think you are looking in the wrong direction for a solution.

To provide an "easy" solution when you frequently roll out VM's and want to prevent that you need to manually inspect the new server's key fingerprint for validity whenever you make the first connection to a new VM I think you have two different potential solutions. Both are expanding on your thought to use "user data" to customize the VM on roll-out:

  1. Rather then having each server generate it's own random server keypair at first boot you can pre-create a keypair, sign the public key with your own CA and then deploy that server keypair to the new VM.
    See https://serverfault.com/a/954138/37681

  2. Alternatively you can insert a script that after deployment and once a new server has finished generating it's new key pair will upload the key fingerprint into DNS. You can then use the VerifyHostKeyDNS directive to validate the finger print automatically. See RFC 4255

Community
  • 1
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thanks for answering. I think I came across option 1) where someone described it as a the onerous activity of setting up a CA chain. I'm open to this if needed, but I'd like to keep things as simple as possible. I guess this isn't as simple as "just" supplying the key pair during boot up, and requires the CA for this? I'm controlling DNS through the vendors API, so it sounds like maybe 2) is a better arrangement, though I then need to learn about DNSSEC. I guess this option requires the VM to have the API token to configure the DNS vendor correctly? – Brian Apr 05 '19 at 13:54
  • Take a step back and consider if you want to spend a bit of effort to prove the validity of, or keep in a system of record, SSH host keys. If you want to, then worry about implementation details like how to properly maintain a PKI, or if nsupdate can send SSHFP record to your DNS. The status quo is to blindly trust the host key, which doesn't verify anything. – John Mahowald Apr 07 '19 at 03:08
  • I'm trying to minimize infrastructure, and I would say that is a cornerstone in my requirements. Status quo is roughly how I've done SSH so far and with a password, but I think I can do better than that, hence why I've opened a few questions around this. – Brian Apr 07 '19 at 18:23