SSH host keys not verifiable

I have spent all afternoon hunting this one down, including installing a new version of Bazaar, registering every conceivable key in launchpad, etc. Very frustrating.
  I am running Windows XP professional with PuTTY 0.60 and four versions of Python. For simplicity, I installed Bazaar from bzr-setup-1.9.exe.

v v v v v Begin screen dump v v v v v v
D:\>bzr branch lp:storm
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 9d:38:3a:63:b1:d5:6f:c4:44:67:53:49:2e:ee:fc:89
Connection abandoned.
bzr: ERROR: Connection closed: please check connectivity and permissions (and tr
y -Dhpss if further diagnosis is required)
^ ^ ^ ^ ^ ^ end screen dump ^ ^ ^ ^ ^ ^ ^ ^

Note that I have no way of *accepting* a connection, nor do I know *where* the connection is going. When I finally located this bug report, it gave me enough information to concoct the following workaround:

v v v v v v begin workaround v v v v v v v
D:\>plink <email address hidden> ls
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 1024 9d:38:3a:63:b1:d5:6f:c4:44:67:53:49:2e:ee:fc:89
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
Not allowed to execute 'ls'.
^ ^ ^ ^ ^ ^ end workaround ^ ^ ^ ^ ^ ^ ^ ^ ^

This should be taken care of at installation time somehow.
--
Vernon Cole

See also bug 296110, which is specifically about bzr including the Launchpad keys in its installation.

There seem to be a couple of things here:

 * The Launchpad SSH key should be published on the web, on a https url that's not publicly updatable (so not a wiki). This should be easy. We should publish both the fingerprint and the key.

 * We should document how to add the Launchpad host pubkey to putty; apparently (because of windows tty-like handling) it's not easy to do it on the first time you access Launchpad from bzr. I'm surprised more people haven't hit it.

 * We should include the host key in bzr and/or Ubuntu. (bug 296110)

"how to add the Launchpad host key"... and also to openssh. It's not obvious to me how you can do that other by accepting the key on the first connection.

We could also add an SSHFP DNS record; see <http://tools.ietf.org/html/rfc4255>. I'm not sure if that would be trusted in practice by most users.

You think on a higher level than I. My idea was something like "tickling"
bazaar.launchpad.net at install time so that the cache would be pre-loaded.
When I think about it, though, I believe that PuTTY uses the *users*
registry area, so that would not work for a multi-user situation. That means
the probe would have to be done at run time, after Bazaar realizes that it
is using launchpad. The quickest and dirtiest way to handle it would be to
patch an error message to tell the user what command to type before retrying
bzr.
  I wonder if there is a plink command line switch which would make the
attempt at user interaction go away?
--
Vernon

On Thu, Nov 13, 2008 at 6:07 PM, Martin Pool <email address hidden> wrote:

> We could also add an SSHFP DNS record; see
> <http://tools.ietf.org/html/rfc4255>. I'm not sure if that would be
> trusted in practice by most users.
>
> --
> codehosting ssh host key not verifiable
> https://bugs.launchpad.net/bugs/238869
> You received this bug notification because you are a direct subscriber
> of the bug.
>

The fact that plink just refuses to connect if the host key is not known is bzr bug 237297, and there's a workaround there: run plink interactively once.

This bug also affects the poppy sftp server.

How strange that this has not been resolved yet.

I was reading the Ubuntu Packaging Guide, more specifically, in the chapter: Getting the Source, part: Getting the trunk branch. (See http://developer.ubuntu.com/packaging/html/udd-getting-the-source.html#getting-the-trunk-branch).

So I was doing this, in terminal:

$ bzr branch ubuntu:tomboy tomboy.dev
The authenticity of host 'bazaar.launchpad.net (91.189.95.84)' can't be established.
RSA key fingerprint is 9d:38:3a:63:b1:d5:6f:c4:44:67:53:49:2e:ee:fc:89.
Are you sure you want to continue connecting (yes/no)?

That link above (udd-getting-the-source.html) does not show how to verify this "RSA key fingerprint".
Only from comment #1 above I can see the fingerprint, and that wasn't even published by Canonical.

A bug from 2008 that could be easily fixed marked with "low importance".

It's an important security enhancement.

I don't know if this was ever fixed for bazaar, but I'm now encountering the same issue with git.launchpad.net and being unable to verify the host keys.

While I'd love for something like monkeysphere signed keys:

  web.monkeysphere.info

The OpenPGP web of trust is probably not strong enough for most users.

It's been proposed *years* ago to host a webpage with the appropriate ssh keys... at the very least that would be *something*.

Leaving users of launchpad open to MITM attacks is a bit unfortunate...

I've added https://help.launchpad.net/SSHFingerprints and linked to it in a few places. It's not great, but as you say it's at least something.

@cjwatson: thanks for the workaround (per comment #11).

Fully agreed with @vinipsmaker: "It's an important security enhancement."