EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Multiple hostkey support for SSHServer

Posted: 07/20/2015 07:34:56
by Maarten van Bergen (Priority Standard support level)
Joined: 10/15/2013
Posts: 3

We're in the process to change our SSH Server hostkey to a new one with a bigger key size. Due to existing clients connecting to our server that cannot change our hostkey all at the same time, we're looking for a mechanism where we can offer our existing hostkey or our new hostkey based on the client connecting.

Is there a possibility in the TElSSHServer class where we can make a decision based on the client connecting to return the proper hostkey?

Posted: 07/20/2015 07:40:59
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

You can handle one of TElSSHServer events (TElSSHServer.OnAuthPublicKey etc.) and change TElSSHServer.KeyStorage content depending on your decision.

Reference to TElSSHServer can be retrived by type-casting Sender parameter inside event handlers.
Posted: 07/20/2015 08:11:21
by Vsevolod Ievgiienko (Team)

P.S. Client's username can be retrieved using TElSSHServer.Username property.
Posted: 07/20/2015 10:45:03
by Maarten van Bergen (Priority Standard support level)
Joined: 10/15/2013
Posts: 3

Hi, thanks for your quick reply. I did try this already, but it seems the exchange of the hostkey happens earlier in the handshake between client and server. Using FileZilla with full tracing I can show this:

--> Opening connection
Trace: Server version: SSH-2.0
Trace: Using SSH protocol version 2
Trace: We claim version: SSH-2.0-PuTTY_Local:_Aug_28_2011_23:18:38
Trace: Doing Diffie-Hellman group exchange
Trace: Doing Diffie-Hellman key exchange with hash SHA-1

--> Hostkey is being sent
Trace: Host key fingerprint is:
Trace: ssh-rsa 4096 11:b3:16:95:3b:14:38:15:f5:fa:f7:13:52:9a:1c:6b
Trace: Initialised AES-256 SDCTR client->server encryption
Trace: Initialised HMAC-SHA1 client->server MAC algorithm
Trace: Initialised AES-256 SDCTR server->client encryption
Trace: Initialised HMAC-SHA1 server->client MAC algorithm
Trace: Successfully loaded 2 key pairs from file
Trace: Offered public key from "cert.ppk"

--> SSHServer_OnAuthPublicKey being called.
Trace: Offer of public key accepted, trying to authenticate using it.
Trace: Access granted
Trace: Opened channel for session

As you can see the host key has already been sent before the OnAuthPublicKey event. I tried to find an event earlier in the key exchange, but have not found it yet.

Do you know if there is an earlier event where we can intercept the host key exchange?
Posted: 07/20/2015 16:30:01
by Vsevolod Ievgiienko (Team)

I'm sorry, my suggestion was incorrect and based on quick code review. Indeed, there is no event that can be fired before the key is sent.

Currently the only way is to adjust TElSSHServer.KeyStorage right after the connection is accepted on socket layer and before TElSSHServer.Open is called.
Posted: 07/21/2015 04:06:26
by Maarten van Bergen (Priority Standard support level)
Joined: 10/15/2013
Posts: 3

Thanks for getting back on this one. This was also my alternative solution that is only a bit more complex as I have to make a decision based on client ip address instead of the client user logging in.
I'm sure I can make this work however so thanks for your help in this matter.




Topic viewed 1961 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!