Hi everyone.
I am using Pfsense Router with OpenWrt set up as a Wireless Access Point which I want to have an external ssh access to.
I am currently using HAProxy on my Pfsense to route outside SSH connections to my home network hosts via TLS (port 443) using SNI TLS extension. Therefore, the SSH connection goes to external.domain.com:443
, utilizing SNI field, that tells which internal host to route the SSH connection to. This way I can expose only one port 443 to the internet in order to connect to any of the internal backends (my home network hosts) via HTTPS or SSH without exposing each individual SSH ports for each host to the World.
All works fine except the fact that whenever I connect to a different internal host (specifying different SNI), I receive TOFU message from OpenSSH:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256: <...>
....
Thus, unfortunately, I have to clear up my ~/.ssh/known_hosts
each time I want to ssh into a different host over TLS via my external.domain.com:443
The usual solution to this is using SSH HostCertficate instead of SSH HostKey for Server (Host) Authentication. Description of the method could be found here or here or here
I have successfully implemented Host Certificate Authentication for my Linux hosts and that eliminated the TOFU. Great...
But what about the OpenWrt hosts? Does Dropbear able to use something like this standard sshd stanza as follows:
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub`
How to make it possible on Dropbear?
And if it is impossible for now (which is so sad), is it planned to be implemented in the future because it is an obvious defect?
Any help/idea is highly appreciated! Thanks.