monkeysphere always removes invalid hosts from known_hosts file, even if they were manually added
The current monkeysphere procedure for handling known_hosts files is the following:
find all keys matching host in WoT
remove all host/key lines matching keys found for host in WoT, valid or otherwise
add host/key lines for valid keys for the host
The important point here is that monkeysphere will only never remove host/key lines for hosts that don't have any keys in the WoT.
However, an attacker could force a host key line to always be removed by adding an invalid cert for the host/key pair in the WoT. This would mean that monkeysphere users would always get the "authenticity ... can't be established" prompt for that host, even if they manually added the host key, or said yes at that prompt previously.
Note that this is not a problem for authorized_keys, since monkeysphere only removes authorized_keys lines that it had previously added, and it only adds valid keys for users listed in authorized_user_ids. Manually added keys are never removed.
I unfortunately don't immediately see any good way to fix this. I have two non-ideal proposals, though:
-
monkeysphere only remove host/key lines that it had previously inserted. This would mean that host/key lines would only be removed if the host/key pair had previously been see as valid by monkeysphere. However, this is problematic for hosts that transition to monkeysphere since their old manually added host keys would have to be manually removed.
-
use a separate file to list hosts that should be handled by monkeysphere. monkeysphere would then only ever remove host/key lines for listed hosts, and leave all other keys alone. This of course requires maintaining a separate "authorized_hosts" file (or whatever it would be called), which is less than ideal. It would also have some transition issues, since new monkeysphere hosts would have to be added to that file manually, instead of being added to known_hosts automatically by the proxycommand if a valid key for that host was found in the WoT.
I'm open to any other suggestions.
(from redmine: created on 2010-11-01)