{"id":973,"date":"2024-09-06T14:39:49","date_gmt":"2024-09-06T12:39:49","guid":{"rendered":"https:\/\/www.cipv6.de\/worp\/?p=973"},"modified":"2024-12-16T10:26:57","modified_gmt":"2024-12-16T09:26:57","slug":"manual-steps-for-certificate-based-ssh-communication","status":"publish","type":"post","link":"https:\/\/www.cipv6.de\/worp\/index.php\/2024\/09\/06\/manual-steps-for-certificate-based-ssh-communication\/","title":{"rendered":"Lab setup: Secure your SSH communication with certificates"},"content":{"rendered":"\n

When you Ssh the first time to a host the screen shows something like:<\/p>\n\n\n\n

ssh test@10.50.100.110\nThe authenticity of host '10.50.100.110 (10.50.100.110)' can't be established.\nED25519 key fingerprint is SHA256:jCJ0TIJkKnjgu3RTv5eGER7p4IN5Tb\/JpTEVJNMfpMs.\nThis key is not known by any other names\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])?<\/code><\/pre>\n\n\n\n
Be honest: Do you just accept the shown Fingerprint of the remote host or do you really doublecheck the presented fingerprint before you accept  ?<\/p>\n\n\n\n
My guess: Most of the time the presented fingerprint gets accepted without any additional check. <\/em><\/p>\n\n\n\n
This procedure is called TOFU<\/strong> (T<\/strong>rust O<\/strong>n F<\/strong>irst U<\/strong>se).
TOFU<\/strong> assumes that the first time you connect to a server, the server\u2019s key is trustworthy. However, this can leave you vulnerable to man-in-the-middle attacks if an attacker intercepts the initial connection. The attacker grabs your user\/password credentials and can get access.<\/p>\n\n\n\n
Here are some implementations who are using TOFU:<\/p>\n\n\n\n
Android Enterprise Networks<\/strong>: Android supports TOFU for enterprise networks by allowing devices to trust an enterprise network by installing the root CA used by the server and setting its domain name in a saved network.<\/p>\n\n\n\n
Signal<\/strong>: In Signal, endpoints initially trust the identifier blindly and display non-blocking warnings when it changes. Users can verify the identifier by scanning a QR code or exchanging a Safety Number, which then changes the nature of identifier change warnings from non-blocking to blocking.<\/p>\n\n\n\n
WhatsApp<\/strong>: WhatsApp clients initially trust the identifier blindly and, by default, do not display warnings when the identifier changes. Users can enable non-blocking warnings by accessing the key fingerprint (called Security Code) and verifying it.<\/p>\n\n\n\n
XMPP Client Conversations<\/strong>: This client uses Blind Trust Before Verification, where all identifiers are blindly trusted until the user authenticates endpoints by scanning a QR code. Once verified, the client displays a shield symbol for authenticated messages.<\/p>\n\n\n\n
<\/p>\n\n\n\n
By using certificates for SSH authentication, you can eliminate the risks associated with<\/em><\/strong> TOFU<\/strong>. Key approval (and distribution)\u00a0is no more necessary with certificate-based Ssh.

Certificates provide a more robust and secure method of verifying identities, ensuring that both the client and server can trust each other without relying on the initial Ssh-connection\u2019s integrity.<\/p>\n\n\n\n
 This lab-setup is based on the open-source version of Smallstep<\/a>, a powerful tool that simplifies the process of managing and issuing certificates.
Want to test cert-based ssh without smallstep ? go ahead, here are some getting started urls:
https:\/\/goteleport.com\/blog\/how-to-configure-ssh-certificate-based-authentication\/<\/a>
https:\/\/blog.habets.se\/2011\/07\/OpenSSH-certificates.html<\/a>
https:\/\/www.sweharris.org\/post\/2016-10-30-ssh-certs\/<\/a>
<\/p>\n\n\n\n
Before we dive into the lab, let\u2019s first take a look at some key pros and cons related to this topic.

Advantages when using certificate-based ssh:<\/em><\/strong><\/p>\n\n\n\n