known_hosts vulnerability?
Carson Gaspar
carson at taltos.org
Thu May 19 06:39:02 EST 2005
--On Wednesday, May 18, 2005 02:30:38 PM -0500 "Gabriel M. Elder"
<eldergabriel at charter.net> wrote:
> Hey all,
>
> I came across a security news article, referenced by
> http://www.linux.org/news, at
>
> http://www.techworld.com/security/news/index.cfm?NewsID=3668
>
> talking about an SSH weakness involving the known_hosts file. I
> apologize if this issue has already been addressed, but the mailing list
> archives didn't turn up anything when i tried searching for something
> relevant. So; not to knee-jerk or anything, but is anyone currently
> looking into this? Does this need to be addressed, or has it already
> been taken care of? Offhand, on a scale of 0 - 11, this would seem to
> rate kinda high, ~7. Am i off-base?
It's about a 1. If someone breaks into your machine with an older version
of SSH, they can get a list of hosts you've connected to. Whoopee. Unless
you scrub your .bash_history (or equivalent), you're already exposed to
this. More FUD from "security" stories.
The real solution is to stop using known_hosts files. There are some
patches floating around that do this for X.509 certs, and it's possible
with GSSAPI already (I think...). It would be really nice to get LDAP or
DNSSEC support, but I don't think there are current patches for either.
--
Carson Gaspar
--
Carson Gaspar
More information about the openssh-unix-dev
mailing list