Potential SSH2 exploit

Fri Jan 11 23:24:40 EST 2002

On Fri, Jan 11, 2002 at 07:14:20AM -0500, Peter W wrote:
> On Fri, Jan 11, 2002 at 10:00:50AM +0100, Markus Friedl wrote:
> > On Thu, Jan 10, 2002 at 01:40:29PM -0600, Dave Dykstra wrote:
> 
> > > Maybe the OpenSSH ssh
> > > client should retrieve and store both kinds of host keys
> > 
> > not possible.
> 
> Well, there *could* be logic like this, right?

won't happen.

>  if ( key host presents is new ) {
>     /* we don't know this host, or something has changed, e.g.
>        maybe they've upgraded from SSH 1.5 to SSH 1.5/2, and now
>        we're seing the SSH 2 key b/c we prefer protocol 2 --
>        see how many unknown keys the server offers */
>     foreach keytype we support {
>        if ( we don't have such a key for this host ) {
>            make a bogus/keyscan connection, 

no, you don't want to do all the algorithm
negotiation again.

>            show user the fingerprint,
>            ask if the key should be cached
>        }
>     }
>   }

i'd rather have
	if (key is new) {
		print all known keys for this host
		ask if key should be accepted.
	}

> But I fear that's a bad idea. It would use more bandwidth, you'd
> be showing the user three diff fingerprints each time, even though
> in most cases they'd never, ever connect w/ anything other than
> their preferred SSH revision & the server's preferred key, and then
> there's the question of DSA keys & random number generators, right?

> Clients should warn about unknown/changed keys (as OpenSSH does) and
> users should pay attention to those warnings.

yes, since OpenSSH already warns, i don't see big issue here.