2

I have seen people who suggest using a code chunk like this:

begin
 Net::SSH::start
rescue Net::SSH::HostKeyError => e
  e.remember_host!
  retry
end

As the exception type suggests, it's for cases where there's a hostkey mismatch, and it adds the host to known hosts, as far as I understand.

So my question is, isn't it risky to just unconditionally add the host whenever the host isn't recognized? I imagine the host needs to be recognized in order to avoid man-in-the-middle attacks or similar, and just immediately adding any unrecognized hosts seem like a security breach.

Please keep in mind that I am very new to Ruby, know very little about SSH or security in general so I would appreciate simple explanations. And this is my first stack overflow question, so I am sorry if I am violating any guidelines. I wanted to ask this as a comment on a question that was actually using that code chunk, but I didn't have enough reputation.

I'm looking forward to any explanations and thanks in advance.

klausiboy kristensen
  • 23
  • 4

2 Answers2

2

Yes, you're absolutely right! The example code simply bypasses the error.

Which is ok if you're not concerned about which hosts try to connect, and it doesn't mean that SSH in and of itself is insecure.

Sometimes an organisation will add a separate layer of access for increased security, perhaps a VPN to a machine which then does the SSH to the target server... in that case you want to fail on Net::SSH::HostKeyError

But if you're not that concerned, you could use #remember_host! on the error to bypass the raised error.

See this answer in another stack exchange site: https://security.stackexchange.com/a/154878

SteveTurczyn
  • 36,057
  • 6
  • 41
  • 53
  • My organisation does use a VPN. Again, sorry for being a rookie on this and potentially missing something obvious, but why is it more important to fail on a HostKeyError if you do have a VPN? wouldn't the extra layer of security added by the VPN mean that you could reasonably be a little less strict on your security elsewhere, allowing things like remember_host! ? – klausiboy kristensen Aug 14 '20 at 06:42
  • No, you'd want to fail if you're using a VPN because you'd only want the machine you're VPN-accessing to be able to get to the server. Using `remember_host!` would accept anybody, even if they're not coming from the VPN-accessed machine. – SteveTurczyn Aug 14 '20 at 17:49
  • I'm admittedly not sure I get all the details, but I think I get the general idea and concept. Thanks for the explanation, I'm gonna go ahead and accept this answer. On a slightly unrelated note, I'm a little surprised that none of the other answers on other posts that suggest using remember_host! aren't mentioning any of the security risks, since there does seem to be a little risk involved – klausiboy kristensen Aug 15 '20 at 09:48
1

It's a good question.

Any library that alters user level settings proposes some form of risk. Quite a lot of software depends on similar functionality, keep in mind storing hosts does effect other applications and not just the one this logic is present in. Opinion: it's not ridiculously dangerous to store this information, but one of the downfalls that comes to mind is that a history of connected hosts could be used by attackers to understand infrastructure the user frequently visits.

benjessop
  • 1,729
  • 1
  • 8
  • 14