Potential SSH2 exploit

[Markus Friedl]

On Thu, Jan 10, 2002 at 01:40:29PM -0600, Dave Dykstra wrote:
> I just noticed (at least on OpenSSH 3.0p1) that even though I have both RSA
> and DSA keys available in sshd_config on a server, only a ssh-rsa line
> shows up in known_hosts on the client side, not a ssh-dss line (that
> priority may come from the fact that my RSA key is listed before my DSA key
> in sshd_config).

no, it comes from 
	HostKeyAlgorithms ssh-rsa,ssh-dss

> If I comment out the RSA key in sshd_config and restart
> the server, then the next time the client connects it warns that a new key
> is being added and adds a ssh-dss line to known_hosts.

yes, ssh should always ask.

> Isn't that a potential opening for a man-in-the-middle exploit?

man-in-the-middle is always possible if ssh sees a new hostkey.

> Somebody
> could take over a DNS name, offer only a DSA key, and forward traffic to
> the real host.  SSH users expect that once they've established the identity
> of a host they're safe from man-in-the-middle exploits so they may gloss
> over the warning of an additional key being added.

i think keys should no longer be 'automatically added'.

they should not be 'automatically added' for the IP address,
if the key matches for the DNS name, but no key is known for
the IP address (Niels?).

> Maybe the OpenSSH ssh
> client should retrieve and store both kinds of host keys

not possible.

> if they're missing
> from known_hosts and the server has them available.

they client could say:
	server offers an unknown rsa key,
	but we already have a known dsa key.

> I don't know if that
> would take a protocol change or not but I doubt it because ssh-keyscan has
> the ability to scan for both rsa and dsa keys at the same time (and be sure
> to scan for both if you do use it!).

ssh-keyscan makes 2 connections if you request 2 different key types.