find canonic host name [SECURITY VULNERABILITY]

Gregory Stark gsstark at mit.edu
Tue Oct 3 13:57:53 EST 2000


I reported a bug recently to the debian bug tracking system but I just checked
this mailing list and it seems it was already mentioned here. However the
thread seemed to have died. This is worrisome because it's rather a severe
security vulnerability.

OpenSSH seems to have changed behaviour to canonicalize host names _before_
looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE.

This sounds like someone applied a blanket security rule-of-thumb without
understanding the rationale behind the rule. (What's worse is that
canonicalizing host names doesn't really buy any security in the general case
but that's another battle.)

Canonicalizing names provided by untrusted sources is reasonable because it
prevents untrusted sources from being able to provide aliases that might
escape treatment by some security provision. Canonicalizing names provided by
the user before checking the known_hosts file means you're opening the user up
to additional attacks where he might not even be connecting to the host he
requested!

Incidentally, my original debian bug report was that SSH should use the
hostname/port pair as the key for known_hosts, not merely the hostname. Since
each port could run an sshd with a different key. I would actually like an
option in .ssh/config to specify the known_hosts key explicitly rather than
use the hostname and ip address. 

-- 
greg






More information about the openssh-unix-dev mailing list