No SSHFP record, TOFU clients. This is not secure.
I wish people would stop trying to use SSH for things like this. PKI has features that are missing here and those features matter.
This is unsafe.
"but raggi, mitm before tofu is a really unrealistic scenario"
ok, well, consider that some large percentage of gas stations in the US have hardware installed to skim your credit cards. those same folks are perfectly well motivated to drop a wifi dns mitm in conference buildings (trivial). new tech conference, handful of credit cards as people gossip about exactly these kinds of things in the hallway track. the roi on these installs would be pretty high, because tech folks tend to have a high credit balance. so yeah, "totally unrealistic" (this is more about terminal.shop, but same principle here as soon as someone uses it for actual value).
Are you serious? A MITM here cannot sign things with your private key. People who care can add the keypub’s fingerprint before connecting. Adding an sshfp record is completely trivial too. There is no more tofu here than any other ssh connection and the solution is the same. And the added advantage of a PKI means, in a properly designed system, a threat actor can’t do anything useful sitting on the wire. I’m not saying ssh apps are going to take off, just that your reaction is quite hyperbolic.
There’s no separate signing in use here except for the ssh connection, which can be trivially mitm’d in common targeted scenarios because of the lack of webpki and the lack of other preparations. SSHFP would help, but only if configured both in dns, and if the client is both configured to look for it, using secure dns, and the user understands the failure UX and doesn’t just bypass it. On DNS: DoH would help but it is only in widespread use in browsers. DoT would help but it is only in widespread use on android.
In addition to this a further scan of the code reveals it’s also using a btree index lookup for code comparison and no limitation on attempts, so it is likely that this is relatively trivial to attack with timing as well.
Trivialize mitm all you want, you say concerns of mitm are hyperbolic, I gave a practical example of a target rich environment and there are plenty more folks could come up with. SSH may have long been skirting the lack of a better host key distribution system, but this is largely a matter of luck, access and bespoke usage. These new deployments demonstrate a change on two of these factors, increasing risk substantially if this grows.
I agree there is an issue here -- btw, you would notice when eventually the server key changes.
User friendly and secure-by-default clients will leverage the domain HTTPS CA to solve this (fetching the server key using https). The downside is that it will require d/l and install
I wish people would stop trying to use SSH for things like this. PKI has features that are missing here and those features matter.
This is unsafe.
"but raggi, mitm before tofu is a really unrealistic scenario"
ok, well, consider that some large percentage of gas stations in the US have hardware installed to skim your credit cards. those same folks are perfectly well motivated to drop a wifi dns mitm in conference buildings (trivial). new tech conference, handful of credit cards as people gossip about exactly these kinds of things in the hallway track. the roi on these installs would be pretty high, because tech folks tend to have a high credit balance. so yeah, "totally unrealistic" (this is more about terminal.shop, but same principle here as soon as someone uses it for actual value).