Configurable SSH Host Key Policies for Cinder

Include the URL of your launchpad blueprint:

https://blueprints.launchpad.net/cinder/+spec/configurable-ssh-host-key-policy

To address concerns of weak ssh security in Cinder, the way that ssh host keys are handled by Cinder should be configurable, allowing system administrators to choose how secure they wish their SSH connections to be.

Problem description

During Icehouse testing and development it was discovered that SSHPool in cinder/utils.py was using the paramiko.AutoAddPolicy() option. This meant that changes to the SSH key on the storage back-end would just be accepted with only a warning being printed. This leaves a security weakness as it is possible for a Man-In-the-Middle (MITM) attack to happen between the Cinder Volume host and the back-end storage. If a MITM attack were to happen, the users data could be compromised. In a worst case scenario, users could be tricked into attaching or even booting spoofed volumes containing malicious code.

Use Cases

Proposed change

The spec and associated blueprint propose making the way that SSH host keys are handled configurable, allowing system administrators to make a conscious decision about the level of security they need on their system.

The solution would require two new configuration items as well as a change to the current default behavior. First, there would need to a ‘strict_ssh_host_key_policy’ configuration option with possible settings of ‘false’ (default) or ‘true’. When this option is set to ‘false’ it will automatically accept the host key on the first connection and then will throw an exception if the host key changes in the future. This is where the default behavior changes from the current functionality.

In the case that ‘strict_ssh_host_key_policy’ is set to ‘true’ then a second option ‘ssh_host_keys_file’ must be configured. When the strict configuration is used it is assumed that the administrator is going to have pre-configured ssh host keys and any deviation from those expected keys will be handled with an exception.

Alternatives

Obviously, we could keep the current functionality but this leaves a security weakness. We could also just require that an ssh host key file be specified, but I feel this is undesirable as it is yet another configuration option that users must deal with. The last option would be to make the functionality fully configurable, making it possible to keep the current functionality, where changes in the host key only cause a warning to be reported, in addition to the new configuration options listed above, but I don’t feel leaving the security weakness in place is the right approach if we are making this change. We are actually bringing Cinder’s handling of ssh keys in line with what users are used to from the command line, which seems like the most sensible approach.

Data model impact

None

REST API impact

None

Security impact

This change improves security by handling ssh keys in a manner that will help to avoid the possibility of Man-in-the-Middle attacks.

Notifications impact

None

Other end user impact

As mentioned above, this change will make it so that, by default, the user will see a failure connecting to their back-end storage system in the case the ssh keys on that system change. The user will have the ability to set the level of security they wish to enforce on their volume server using the ‘strict_ssh_host_key_policy’ and also be able to specify the host keys they wish to use with the ‘ssh_host_keys_file’ option.

Performance Impact

None

Other deployer impact

Deployers that wish to have a more secure ssh implementation will need to set the ‘strict_ssh_host_key_policy’ and ‘ssh_host_keys_file’ configuration options.

Developer impact

Drivers that currently use ssh to connect to their back-end storage systems will need to ensure that their drivers are using this approach for securing their ssh keys. Future driver developers will also need to be consistent with this improved security model.

Implementation

Assignee(s)

Primary assignee:

jsbryant (jsbrant@us.ibm.com or jungleboyj on IRC)

Work Items

Initial changes to cinder/utils.py to enable this new functionality. Update existing drivers to properly utilize the functionality.

Dependencies

None

Testing

Beyond unit tests, I don’t know that there is much more testing that can be done unless there is a way, in Tempest, to simulate bad ssh keys being returned.

Documentation Impact

Documentation will need to be updated for the configuration options and explanation of how the functionality is designed to work.

References

Original bug which started this discussion: https://bugs.launchpad.net/cinder/+bug/1320056 Initial fix for utils.py in the community: https://review.openstack.org/#/c/94165/ Weekly Cinder Meeting discussion on this topic: http://eavesdrop.openstack.org/meetings/cinder/2014/cinder.2014-05-28-16.00.log.html#l-104