find canonic host name [SECURITY VULNERABILITY]
Andrew Pimlott
andrew at pimlott.ne.mediaone.net
Wed Oct 4 04:30:42 EST 2000
On Mon, Oct 02, 2000 at 10:57:53PM -0400, Gregory Stark wrote:
> OpenSSH seems to have changed behaviour to canonicalize host names _before_
> looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE.
Thank you for bringing this up again. I'm disappointed that this
wasn't addressed last time. Is there another forum for security
issues with openssh? Should I contact OpenBSD?
One of the strong points of ssh (emphasized since the earliest
versons I ever used) is resistance to DNS spoofing. This principle
seems to have been disregarded in this case. Since nobody
identified any purpose for host name canonicalization, I suggest
simple deleting the code I referred to.
> Incidentally, my original debian bug report was that SSH should use the
> hostname/port pair as the key for known_hosts, not merely the hostname. Since
> each port could run an sshd with a different key. I would actually like an
> option in .ssh/config to specify the known_hosts key explicitly rather than
> use the hostname and ip address.
You must like typing ;)
Andrew
More information about the openssh-unix-dev
mailing list