Potential SSH2 exploit

Dave Dykstra dwd at bell-labs.com
Sat Jan 12 09:51:56 EST 2002


On Fri, Jan 11, 2002 at 10:00:50AM +0100, Markus Friedl wrote:
> On Thu, Jan 10, 2002 at 01:40:29PM -0600, Dave Dykstra wrote:
...
> > Maybe the OpenSSH ssh
> > client should retrieve and store both kinds of host keys
> 
> not possible.

Not without a protocol change at least.


On Fri, Jan 11, 2002 at 10:08:58AM +0100, Markus Friedl wrote:
> On Thu, Jan 10, 2002 at 01:40:29PM -0600, Dave Dykstra wrote:
> > I comment out the RSA key in sshd_config and restart
> > the server, then the next time the client connects it warns that a new key
> > is being added and adds a ssh-dss line to known_hosts.
> 
> Are you sure that ssh just warns and automatically adds the key?
> 
> I get this:
> 
> % ssh  bla -p1234
> The authenticity of host 'bla (10.1.1.1)' can't be established.
> DSA key fingerprint is 5a:c9:15:95:a2:4f:0a:42:99:8c:63:92:06:36:b4:8d.
> Are you sure you want to continue connecting (yes/no)? ^C
> % 

Right, I wasn't trying to imply that the warning didn't include a prompt.
That's what it would do unless you have StrictHostKeyChecking=no in which
case it skips the prompt.


> So I don't see a new potential for a MITM attack,
> MITM is always possible if ssh says:
> 	The authenticity of host 'XXXX' can't be established.
> 
> (however, ssh could try to list all known keys for this host)

That would be of some help;  make the warning stronger if there is a known
key of another type.  Hey, for that matter why not print out the big
warning that somebody could be doing something nasty?   It's really no
different if somebody has exchanged one RSA key for another than if they've
exchange one RSA key for a DSA key.  Right?  That would be a simple fix.

- Dave



More information about the openssh-unix-dev mailing list