Configure SSHD to use HostCertificate in pfsense?

drew-kun · Dec 15, 2022, 9:47 PM

Hi everyone.

Owning Netgate S1100 and love it! I am currently using HAProxy to route outside SSH connections to my home network hosts via TLS (port 443) using SNI TLS extension.

Therefore, the SSH connection goes to external.domain.com:443, utilizing SNI field, that tells which internal host to route the SSH connection to. This way I can expose only one port 443 to the internet in order to connect to any of the internal backends (my home network hosts) via HTTPS or SSH without exposing each individual SSH ports for each host to the World.

All works fine except the fact that whenever I connect to a different internal host (specifying different SNI), I receive TOFU message from OpenSSH:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256: <...>
....

Therefore I have to clear up my ~/.ssh/known_hosts each time I want to ssh into a different host over TLS via my external.domain.com:443

The usual solution to this is using SSH HostCertficate instead of SSH HostKey for Server (Host) Authentication. Description of the method could be found here or here or here

I have successfully implemented Host Certificate Authentication for my Linux hosts and that eliminated the TOFU. Great... But what about the Pfsense host itself?

After adding the following stanza to /etc/ssh/sshd_config

HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub`

The sshd daemon must be restarted, but after the restart pfsense removes the stanza from sshd_config (I guess with each pfsense restart the sshd_config is being overriden in accordance with defaults plus tweeks made via GUI.) As far as I can tell Pfsense GUI does not contain any fields for customizing SSHD config.

How to make it possible on Pfsense?

And if it is impossible for now (which is so sad), is it planned to be implemented in the future because it is an obvious defect of OpenSSH on Pfsense?

Any help/idea is highly appreciated! Thanks.

stephenw10 · Dec 16, 2022, 1:26 AM

Did you try adding it to /etc/sshd_extra?

That should not be overwritten at boot and is added to the generated conf file.
https://github.com/pfsense/pfsense/blob/RELENG_2_6_0/src/etc/sshd#L123

Steve

drew-kun · Dec 16, 2022, 1:26 AM

@stephenw10 Thank you so much for that! It works! Just did not know about the /etc/sshd_extra possibility!

stephenw10 · Dec 16, 2022, 9:06 AM

Nice! I think I've used it one time previously. It's not a commonly known feature!

Steve