Primary links

Cloud Infrastructure providers, ssh host keys, and you

I think I'm adding a new step to my acceptance procedures for cloud servers: always re-generate the ssh host key. Providers aren't always doing their homework and making sure that the ssh host keys on their customers servers properly created.

Recently I've been working on a VM at a new cloud provider, who will remain un-named for now.  At one point I decided I wanted to start on a fresh slate, and had the system re-provision the virtual machine for me. For those not completely familiar, just to be clear: this process involves erasing the "hard drive" of the virtual machine I was using and performing either a re-installation of the operating system, or copying the image of a disk drive with the OS installed.

This process happened quickly, I was notified that the server was back online, and proceeded to ssh the server to continue what I was doing.  After I logged in, I realized something sort of bad - ssh had not complained about a new ssh key for the server, which is common after a re-image/re-install.

A full discussion is outside the scope of this post, but quickly: SSH uses a public/private key pair to authenticate servers and clients to each other, and to provide non-repudiation.  These keys are usually generated at either time of installation or first execution of sshd to ensure they are unique on each host.  There are exceptions to this process, but this is the norm.

What this means is that if somebody else has your host key, they could spoof your connection, or perform a man-in-the-middle attack, potentially gaining passwords or other sensitive data being transmitted between a user's ssh client and server.

Out of curiousity, I used ssh-keyscan to check a few other IPs near my server. I found the same public ssh host key on them, meaning the same private key is also in place:

Also interesting, not all hosts had the same public key. I suspect the provider either has different keys in different OS images, or maybe in different parts of their infrastructure.

The provider has been contacted and this vuln explained, they are working on a resolution.