How do you authenticate a linode to prevent MITM attacks?
Hello,
How do you verify the authenticity of your linode's when you connect for the first time?
I find the official advice in the getting started article to be a bit cavalier:
If this is the first time connecting to your Linode, you’ll see the authenticity warning below. This is because your SSH client has never encountered the server’s key fingerprint before. Type yes and press Enter to continue connecting.
Is the risk of a MITM attack really not high enough to warrant consideration? Is there some quick and easy way to crosscheck the key fingerprint provided by the SSH warning?
I've been using the Lish gateway to fetch the public SSH keys of my linodes as a means to authenticate them before connecting directly.
This is not quick or easy since I haven't been able to automate the access to Lish. First, I SSH into the Lish gateway and enter the target linode. Then I log into the linode as root, and use cat /etc/ssh/ssh_host_ecdsa_key.pub to print the public key (after resizing the Lish terminal by running and closing nano, there's a bug in Lish that requires this). Then I add this key to my known_hosts file.
Any server claiming to be the linode will need to own the matching private key, thereby authenticating itself.
Are the SSH public keys the only way to authenticate a linode when connecting?
Can anyone share their (preferably automated) workflow for authenticating their linodes?
Thank you for entertaining my questions!
1 Reply
jdutton
Linode Staff
✓ Best Answer
Hey @erikn. We appreciate the feedback on this. The language used in the Getting Started guide you reference is designed to quickly describe SSH prompts for beginner users, but we understand where you’re coming from. We put security at the forefront of everything we do, and certainly don't want anyone to think we take a cavalier approach to it.
While we don’t have a native way to automatically provide a fingerprint for your Linode upon deployment, one could use a StackScript to perform any number of actions to verify your Linode’s authenticity. The only limitation is your imagination. For example, one could:
- Create/write to a file for verification after your first connection
ie:ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key >> somefile
This could even be a file such as /etc/issue, which would print the key to your Linode’s login prompt - Locally generate your own key pair and use StackScript UDFs to overwrite the pub keys of the new Linode
- Have your Linode back-connect to another service for authentication
I also want to address a couple of your other outstanding questions directly:
Is the risk of a MITM attack really not high enough to warrant consideration?
While theoretically possible, the risk of an adversary performing a MitM attack on a newly deployed Linode is no greater than essentially any other service you can find on the internet. In our experience we do not see customers targeted by MitM attacks; especially not those that would hijack a Linode’s public IP address.
Are the SSH public keys the only way to authenticate a linode when connecting?
There are a few other methods you can use. Other than the Lish method you mentioned, passwords, host-based authentication, and key pairs are available options in terms of establishing a secure connection from the get-go. You could technically automate the Lish process through a script and connecting through the Lish SSH gateway.
For reference, this other Community post talks about verifying host authenticity and links to another article about how to check SSH key fingerprints step-by-step.