Potential SSH2 exploit
Dave Dykstra
dwd at bell-labs.com
Fri Jan 11 06:40:29 EST 2002
I just noticed (at least on OpenSSH 3.0p1) that even though I have both RSA
and DSA keys available in sshd_config on a server, only a ssh-rsa line
shows up in known_hosts on the client side, not a ssh-dss line (that
priority may come from the fact that my RSA key is listed before my DSA key
in sshd_config). If I comment out the RSA key in sshd_config and restart
the server, then the next time the client connects it warns that a new key
is being added and adds a ssh-dss line to known_hosts.
Isn't that a potential opening for a man-in-the-middle exploit? Somebody
could take over a DNS name, offer only a DSA key, and forward traffic to
the real host. SSH users expect that once they've established the identity
of a host they're safe from man-in-the-middle exploits so they may gloss
over the warning of an additional key being added. Maybe the OpenSSH ssh
client should retrieve and store both kinds of host keys if they're missing
from known_hosts and the server has them available. I don't know if that
would take a protocol change or not but I doubt it because ssh-keyscan has
the ability to scan for both rsa and dsa keys at the same time (and be sure
to scan for both if you do use it!).
- Dave Dykstra
More information about the openssh-unix-dev
mailing list