Stop MitM on the first SSH connection, on any VPS or cloud provider
2 days ago
- #SSH Security
- #VM Protection
- #Cloud Init
- A script prevents attacks on the first SSH connection to new VMs on providers like Hetzner Cloud using cloud-init.
- It injects a temporary SSH host key via cloud-init, trusting it briefly to generate and retrieve real long-term SSH host keys.
- This technique protects the first connection, unlike Trust On First Use, which is vulnerable to rerouting or proxy attacks.
- It avoids leaking valuable private key material in cloud-init userdata, reducing risks from SSRF or other attacks.
- The script keeps the temporary SSH host key in a temporary directory and never stores it in ~/.ssh/known_hosts.
- It relies on OpenSSH key rotation for long-term host keys and assumes SSH security, with safeguards against accidental use.
- Attacks might fail if the administrator detects wrong connections, avoids passwords, or doesn't forward agent or X11 connections.