[SOLVED] How can SSH check if a public key is registered with a specific authority?

Issue

I am trying to understand if SSH can be set up to work the way HTTPS works - there are 'authorities' that store public keys mapped to a specific company together with other information that can be useful (like date, signature, etc.). In other words it's a certificate that can be checked by clients (most often browsers) and verified that this is really the company this web site represents. This is essential to prevent the middle-man-attack or a fake web page looking exactly like the original one.

I am new to SSH and I am trying to understand if there is a similar mechanism for certificates check - I looked everywhere and I don't find an answer to this. What bothers me is when you have a server set up by another person (maybe you don't believe this person) and you want to ssh to this server for a first time (make it a known host for future connections) you can't be absolutely sure that there is no middle-man because you do not check the certificate against an authority (this can be just your company cert authority)? The public key of the ssh server that your ssh client receives is unknown and can not be verified. How can I be sure this is really the server I want to connect to?

Does this make any sense or I am just missing something ?

Thanks in advance!

Solution

I understand your confusion.

Let me try to clarify, maybe it helps.

To establish trust that the remote host that you login to is indeed the host you expect, SSH provides you the mechanism of the host key fingerprint verification.

How do you know what the host key should be before you have ever logged in? Well, this appears to be a problem that can only be solved out of band.

SSH has no way of knowing, whether the host you login to is the one you think it is - this is exactly the reason it asks you to confirm whether the fingerprint of the host matches what you expected.

As a consequence, you need to obtain the correct host key fingerprint from the person or entity that has set up the host for you. In other words: you need to trust that the person has fulfilled the following three premises:

1. Set up the host correctly, and
2. Provided you with the correct host key, and
3. Ensured that nobody else has access to the host’s private key.

If these three premises are established, you can verify in the future, whether you are indeed connecting to the correct host as SSH is able to validate whether the remote host indeed is in possession of the private key corresponding to the host fingerprint.

Answered By - Simon Heimlicher

Answer Checked By - David Goodson (WPSolving Volunteer)