Comment by dlenski

5 days ago

SSH is an incredibly versatile and useful tool, but many things about the protocol are poorly designed, including its essentially made-up-as-you-go-along wire formats for authentication negotiation, key exchange, etc.

In 2024-2025, I did a survey of millions of public keys on the Internet, gathered from SSH servers and users in addition to TLS hosts, and discovered—among other problems—that it's incredibly easy to misuse SSH keys in large part because they're stored "bare" rather than encapsulated into a certificate format that can provide some guidance as to how they should be used and for what purposes they should be trusted:

https://cryptographycaffe.sandboxaq.com/posts/survey-public-....

25 comments

dlenski

dotwaffle 5 days ago

That's the point, though. An SSH key gives authentication, not authorization. Generally a certificate is a key signed by some other mutually trusted authority, which SSH explicitly tried to avoid.

simonjgreen 5 days ago
SSH does support certificate based auth, and it’s a great upgrade to grant yourself if you are responsible for a multi human single user system. It grants revocation, short lifetime, and identity metadata for auditing, all with vanilla tooling that doesn’t impose things on the target system.
- waynesonfire 5 days ago
  
  > multi human single user system
  A rather niche use-case to promote certificate auth... I'd add the killer-app feature is not having to manage authorized_keys.
  
  1 reply →
dlenski 4 days ago

Agreed, this makes sense in principle.
But what I found, empirically, is that a substantial number of observable SSH public keys are (re)used in way that allows a likely-unintended and unwanted determination of the owner's identities.
This consequence was likely not foreseen when SSH pubkey authentication was first developed 20-30 years ago. Certainly, the use and observability of a massive number of SSH keys on just a single servers (ssh git@github.com) wasn't foreseen.
_bernd 5 days ago

You can also sign ssh host keys with an ssh ca.
See ssh_config and ssh-keygen man-pages...

Charon77 5 days ago

What good does certificate format do? Certainly won't make people not reuse it the same way.

> where the affected users might be surprised or alarmed to learn that it is possible to link these real-world identities.

I feel like it's obvious that ssh public keys publically identifies me, and if I don't want that, I can make different keys for different sites.

dlenski 4 days ago

> > where the affected users might be surprised or alarmed to learn that it is possible to link these real-world identities.
> I feel like it's obvious that ssh public keys publically identifies me, and if I don't want that, I can make different keys for different sites.
You're probably not the only one for whom it's obvious, but it appears to be not at all obvious to large numbers of users.
bauruine 5 days ago
ssh by default sends all your public keys to a server. Yes you can limit some keys to specific hosts but it's very easy to dox yourself.
- grey-area 5 days ago
  
  Doesn’t it try one key at a time rather than send all?
  
  6 replies →
- est 5 days ago
  
  so it's good practice to store key in non-default location and use ~/.ssh/config to point the path for each host?
  
  5 replies →
- ulrikrasmussen 5 days ago
  
  I had never thought about that. Seems like an easy problem to fix by sending salted hashes instead.
  
  1 reply →

arcfour 4 days ago

SSH does have a certificate format that can place restrictions on what the user can do when connecting with that key. I'm not so sure about the hostkey side of things though.

For example: https://smallstep.com/blog/ssh-vs-x509-certificates/#certifi... you can see here that X11 forwarding is permitted for this certificate, among other things.