Hostbased Authentication as Shoe-string Zero-Trust

Everyone agrees that it’s a bad idea to use the SSH protocol’s HostbasedAuthentication as the sole method for authenticating remote logins. I’m not convinced that it’s a bad idea for the purposes of providing multi-factor authentication. It might even be okay.

Use case

Say you manage a fleet of mobile workstations (*nix laptops), with users who don’t need local or remote superuser access. They use the workstations to authenticate via SSH from anywhere in the world to servers you control. Were a user account on one of these workstations to be compromised, an attacker could keylog passwords or steal user pubkeys, then use them from their own endpoints. Enforcing password or pubkey authentication along with hostbased authentication would guarantee that the attacker wouldn’t be able to use these stolen passwords or pubkeys outside of the compromised machine.

This is an admittedly narrow use case, but it would mean that the compromise of my unprivileged user session would require that the attacker dwell within an active, local user session to use them, or be able to return to the host. Either situation increases the likelihood of the attacker getting caught (especially with EDR), and makes my closing the lid to my laptop inconvenient for the attacker.

Pros & Cons

Pros

Cons

Architecture

Implementation for an unprivileged user on the client side accessing an account on the server side from any IP address:

Procedure

This presumes you have superuser access on a client system (i.e. your laptop) and on a remote system listening for inbound SSH connections. Both are configured with a unprivileged user that will log in to the server from the client.

  1. Prepare the client system.

  2. Prepare the server system

To troubleshoot this nonsense server-side, I set LogLevel DEBUG3 in sshd_config, and look at messages in these logfiles:

On the client, I just used ssh -vvv while connecting.

Ways things could go wrong

Easier ways to accomplish much the same thing

Outstanding questions

Conclusion

As the list of “cons” above is longer than the list of “pros”, I’ve pointed out a number of ways this could go wrong if not done precisely, it only addresses a very narrow use case, and I haven’t found anyone on the web describing this set-up, I wouldn’t recommend it for production use. Still, I’m trying this out on a client and server I own to see how practical it is and to try to catch a nasty edge case.

Also, while I said above that you could use Hostbased authentication with passwords or per-user pubkeys, I was just being polite. No one should use passwords.

Sources

Errata