3

I recently came across a question on stackoverflow.com regarding gitlab.com and ssh config. The solution apparently is to update your ssh config with the following:

Host gitlab.com
    UpdateHostKeys no

Unfortunately the author of the top/only answer did not explain anything about if there were negative security implications. Also unfortunately when I read the man page for ssh_config section on UpdateHostKeys I was not able to deduce whether there was negative security implications.

Are there any negative consequences if you change your ssh config for a host with UpdateHostKeys no?

p.s. maybe changing it to ask is "better" (but i'm not sure that would even work)?

Trevor Boyd Smith
  • 236
  • 1
  • 7

1 Answers1

4

From the documentation:

Additional hostkeys are only accepted if the key used to authenticate the host was already trusted or explicitly accepted by the user.

This means it will not accept arbitrary host keys from anybody but only accept these keys from an already trusted host. The idea behind this option is also clearly explained:

... learning alternate hostkeys ... graceful key rotation by allowing a server to send replacement public keys before old ones are removed.

Since the option does not introduce any security problems it is also enabled by default:

UpdateHostKeys is enabled by default if the user has not overridden the default UserKnownHostsFile setting, otherwise UpdateHostKeys will be set to ask.

The reason that it is not enabled when the user defines its own UserKnownHostsFile is probably because in this case it can be assumed that the known hosts are managed not only by ssh itself and that ssh will not infer with this external management by default.

The also means that UpdateHostKeys no will not by itself introduce new security problems. It might make the time harder for the user though in that it will fail to connect to systems when they've rotated their host keys. Instead the user then needs to manually accepted the new host key, and this might lead to a security problem if the user blindly trusts the presented host key instead of properly verifying it. Thus UpdateHostKeys yes can actually improve security by automatically updating a trust relationship instead of asking the user to manually (and maybe wrongly) doing this.

I don't understand though how UpdateHostKeys no fixes a specific problem - and unfortunately you only show the proposed solution and not the problem it was claimed to solve.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • RE `unfortunately you only show the poposed solution`: i forgot to add a link to the specific problem. but i just added the link to the full explanation of the problem: https://stackoverflow.com/questions/67401049/pulling-from-git-fails-and-gives-me-following-error-client-global-hostkeys-priv – Trevor Boyd Smith Aug 05 '21 at 14:00
  • RE `UpdateHostKeys is enabled by default`: on CENTOS7 my man page for `ssh_config` has `UpdateHostKeys ... must be yes, no (the default) or ask`. when i was working the issue i was on cygwin. – Trevor Boyd Smith Aug 05 '21 at 14:05
  • 1
    @TrevorBoydSmith: Looks like the behavior was changed with OpenSSH 8.5, i.e. it is now enabled by default but wasn't before. From the [release notes](https://www.openssh.com/txt/release-8.5): *This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms.* – Steffen Ullrich Aug 05 '21 at 15:00
  • RE default changed in version 8.5: well. there you have it centos7 is famous for having old versions. centos7 has openssh version 7.4 and thus the default is `no`. cygwin probably is newer and has default set ot `yes`. – Trevor Boyd Smith Aug 05 '21 at 18:24