SSH: The Secure Shell (The Definitive Guide)
Barrett, Silverman, & Byrnes / O’Reilly


Here are a few discussions of perceived problems with SSH protocols or software, and thoughts on addressing them.

hostbased authentication in SSH2

There is an important difference between host-based authentication in protocols 1 and 2: in SSH-2, the authentication request contains the client hostname, whereas in SSH-1 it does not.

Now, the server needs some sort of client host identifier to perform authentication. Specifically, for two operations:

(call these the "HAUTH" process). This means that SSH-1 is constrained to use the client IP address, or a name derived from the address via the naming service, as the identifier. This, in turn, means that RhostsRSA authentication cannot work completely (or at all) in the following common scenarios:

The SSH-2 protocol, on the other hand, does not impose this restriction. The server can can choose to believe the client host's identity solely on the basis of verifying the client host key. Put another way: sshd2 has two candidates at hand for the client identifier: the client IP address or reverse-mapped name (call it CN), and the name supplied by the client in the authentication request (call this CA). sshd2 can simply ignore CN altogether, using CA for HAUTH. Indeed, CA can be chosen from any space of identifiers, not necessarily tied or related to the DNS at all -- though clarity's sake, it probably should be the client's canonical hostname.

As currently implemented, though, SSH2 does not do this. sshd2 uses CN for HAUTH, and only uses CA as a sanity check: if CN != CA, it fails the authentication. This is really backwards, and causes hostbased authentication to be much less useful than it could be, since it continues to not work in the scenarios noted above. Instead, it should use CA for HAUTH, and implement the CA = CN check as a per-host option. That makes sense as an extra bit of security, in cases where it's known that the client host address should never change. This is analogous to public-key user authentication, which is independent of the client address, but which admits optional address-based restrictions via the hosts authorized_keys option.

separation of authentication and authorization

Because of the way SSH implementations have developed, the authentication and authorization functions are hopelessly entangled, making the software much less flexible than it could be. The most glaring example of this are the restrictions available in the authorized_keys file. Using options such as host=... and command=..., you can restrict the source hosts allowed to connect using a particular key, or force a certain program to be run instead of allowing the client to specify one. But because they're implemented in the authorized_keys file, these authorization features are availble only when using public-key authentication -- even though they make perfect sense to use as retrictions to the account, regardless of what method was used to authenticate the client!

The result is that you may be forced to use public-key authentication, even when another method would be more appropriate, just in order to get sufficient control. Perhaps you'd like to use trusted-host authentication for a batch job, or Kerberos because your computing environment supports it -- but the weak authorization controls available for them force you to use public-key anyway. Or perhaps you'd like to bar access to your account via password authentication -- but you can't do that without turning off password authentication for the server as a whole, even though you can prevent access by public-key simply by having no authorized_keys file.

As SSH develops and acquires support for more varied authentication methods, this becomes an ever more annoying hindrance. We suggest that the various authorized_keys, .rhosts, .shosts, .klogin, etc. files should be dropped in favor of a more flexible mechanism that covers all the possible access combinations in a single, convenient place. One might come up with an SSH-specific syntax, or perhaps it would be better to use an existing one (the OpenSSH people are advocating KeyNote, which is used in OpenBSD IPSec software).