Making password driven SSH 'immune' to MTM attacks.
Dave Dykstra
dwd at bell-labs.com
Sat Feb 26 06:51:26 EST 2000
On Thu, Feb 24, 2000 at 06:22:22PM -0500, Gregory Maxwell wrote:
> The RSA method is good because it doesn't rely on the (frequently
> non)secrecy of passwords. It's primary disadvantage is that using it
> correctly requires a PKI of some form (be it x.509 certs, GPG signed
> copies, manual key population) to be secure.
I think that's nonsense. If you personally exchange RSA public keys or
get them from people you know personally there's no reason why it needs
a PKI. RSA authentication works wonderfully in SSH. It's hardly any
harder to exchange RSA public keys than to exchange a secret password,
except that the former can't be transmitted over a telephone.
> Unfortuantly, when using passwords with SSH you are fairly
> vulnarable to a Man-in-the-middle attack. SSH provides some basic
> protection against this in the form of saved host keys. Unfortunatly, this
> is insufficent as the network could be comprimised before inital
> connection, and often users will just 'okay' the WARNING message anyways
> because it is falsely triggered so easily.
If you're worried about a compromise before the initial connection then
exchange the public key of the host separately at the same time you
exchange the individual's key. No big deal. I rarely run into cases where
there's a reason to be suspicious that early, however.
...
> If we add SRP client code to the OpenSSH client (a small amount of code
> that can be easily audited), and a small modification to the server it
> will make it possible to use SRP to authenticate on hosts that using an
> SRP password file.
That's a worthwhile reason to add SRP support to OpenSSH, but I don't see
much value in enabling SRP if your system doesn't already have an SRP
password file.
- Dave Dykstra
More information about the openssh-unix-dev
mailing list