Discussion
Here are a few discussions of perceived problems with SSH protocols or software, and thoughts on addressing them.
There is an important difference between host-based authentication in
protocols 1 and 2: in SSH-2, the authentication request contains the
client hostname, whereas in SSH-1 it does not.
Now, the server needs some sort of client host identifier to perform
authentication. Specifically, for two operations:
As currently implemented, though, SSH2 does not do this. sshd2 uses
CN for HAUTH, and only uses CA as a
sanity check: if CN != CA, it fails
the authentication. This is really backwards, and causes hostbased
authentication to be much less useful than it could be, since it continues
to not work in the scenarios noted above. Instead, it should use
CA for HAUTH, and implement the CA =
CN check as a per-host option. That makes sense as an
extra bit of security, in cases where it's known that the client host
address should never change. This is analogous to public-key user
authentication, which is independent of the client address, but which
admits optional address-based restrictions via the hosts
authorized_keys option.
Because of the way SSH implementations have developed, the
authentication and authorization functions are hopelessly entangled,
making the software much less flexible than it could be. The most glaring
example of this are the restrictions available in the authorized_keys
file. Using options such as host=... and command=...,
you can restrict the source hosts allowed to connect using a particular
key, or force a certain program to be run instead of allowing the client
to specify one. But because they're implemented in the authorized_keys
file, these authorization features are availble only when using
public-key authentication -- even though they make perfect sense to use as
retrictions to the account, regardless of what method was used to
authenticate the client!
The result is that you may be forced to use public-key authentication,
even when another method would be more appropriate, just in order to get
sufficient control. Perhaps you'd like to use trusted-host authentication
for a batch job, or Kerberos because your computing environment supports
it -- but the weak authorization controls available for them force you to
use public-key anyway. Or perhaps you'd like to bar access to your account
via password authentication -- but you can't do that without turning off
password authentication for the server as a whole, even though you
can prevent access by public-key simply by having no
authorized_keys file.
As SSH develops and acquires support for more varied authentication
methods, this becomes an ever more annoying hindrance. We suggest that
the various authorized_keys, .rhosts, .shosts, .klogin, etc. files should
be dropped in favor of a more flexible mechanism that covers all the
possible access combinations in a single, convenient place. One might
come up with an SSH-specific syntax, or perhaps it would be better to use
an existing one (the OpenSSH people are advocating KeyNote, which is used
in OpenBSD IPSec software).
(call these the "HAUTH" process). This means that SSH-1 is constrained to use
the client IP address, or a name derived from the address via the naming
service, as the identifier. This, in turn, means that RhostsRSA
authentication cannot work completely (or at all) in the following common
scenarios:
The SSH-2 protocol, on the other hand, does not impose this restriction.
The server can can choose to believe the client host's identity solely on
the basis of verifying the client host key. Put another way: sshd2 has
two candidates at hand for the client identifier: the client IP address or
reverse-mapped name (call it CN), and the name supplied
by the client in the authentication request (call this
CA). sshd2 can simply ignore CN
altogether, using CA for HAUTH. Indeed,
CA can be chosen from any space of identifiers, not
necessarily tied or related to the DNS at all -- though clarity's sake, it
probably should be the client's canonical hostname.