That is correct. And still, many, many devs and admins would do exactly that. Which is why in many, many cases, Tofu really isn't Tofu but "trust whatever."
When designing or evaluating security, one should not ignore that this is a part of reality.
That's a bit of a different issue from the "Let’s say you’re on a fresh machine" that this article is about.
I agree that "automatic trust on first use" is "good enough" for most cases and people (especially with sshfp records), and to be honest I think the warning you get once that fails is strong enough:
% git clone git@github.com:madmurphy/libconfini.git
Cloning into 'libconfini'...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU.
Please contact your system administrator.
Add correct host key in /home/martin/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/martin/.ssh/known_hosts:118
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
It's a strong warning, with a manual fix that's more than "just press ok" (probably intentionally), and if you choose to ignore that then that's your problem.
I'm not really sure what could be done better? A centralized https-like system comes with its own downsides.
(The only complaint is that last "Please make sure you have the correct access rights and the repository exists" line, which is from git and not ssh, and a tad confusing; maybe it's possible for git to do better here?)
That warning IMO is over the top and too long. All that noise with key fingerprints and filenames makes the eyes glaze over. Any user who knows what a "key fingerprint" is will be able to find and compare them if they are interested. The message should just say something like:
WARNING: Remote host identification has changed.
If you did not expect this, verify this change with the remote system administrator before proceeding.
Ideally the message should be able to be customized so that organizations who provision computers for their employees could include e.g. the phone number or email address for the internal help desk.
arp242|2 years ago
I agree that "automatic trust on first use" is "good enough" for most cases and people (especially with sshfp records), and to be honest I think the warning you get once that fails is strong enough:
It's a strong warning, with a manual fix that's more than "just press ok" (probably intentionally), and if you choose to ignore that then that's your problem.I'm not really sure what could be done better? A centralized https-like system comes with its own downsides.
(The only complaint is that last "Please make sure you have the correct access rights and the repository exists" line, which is from git and not ssh, and a tad confusing; maybe it's possible for git to do better here?)
SoftTalker|2 years ago
patrakov|2 years ago
https://salsa.debian.org/ssh-team/openssh/-/blob/master/debi...