known_hosts vulnerability?

Jefferson Ogata Jefferson.Ogata at noaa.gov
Thu May 19 08:27:56 EST 2005


Carson Gaspar wrote:
> --On Wednesday, May 18, 2005 02:30:38 PM -0500 "Gabriel M. Elder"
> <eldergabriel at charter.net> wrote:
>> I came across a security news article, referenced by
>> http://www.linux.org/news, at
>>
>> http://www.techworld.com/security/news/index.cfm?NewsID=3668
>>
>> talking about an SSH weakness involving the known_hosts file. I
>> apologize if this issue has already been addressed, but the mailing list
>> archives didn't turn up anything when i tried searching for something
>> relevant. So; not to knee-jerk or anything, but is anyone currently
>> looking into this? Does this need to be addressed, or has it already
>> been taken care of? Offhand, on a scale of 0 - 11, this would seem to
>> rate kinda high, ~7. Am i off-base?
> 
> It's about a 1. If someone breaks into your machine with an older
> version of SSH, they can get a list of hosts you've connected to.
> Whoopee. Unless you scrub your .bash_history (or equivalent), you're
> already exposed to this. More FUD from "security" stories.

This is a real problem. It is not FUD. If you ever actually watch what
intruders do when they get onto a system, you'll realize that
known_hosts is very beneficial to them in terms of widening the scope of
a compromise. It's one of the first things they go for. Yes, eventually
the intruder can discover the same information, but there is good value
in providing measures that slow down the growth of an intrusion once it
happens. A lot of intruders are surprisingly lazy, if not totally
ignorant, and there's nothing wrong with taking advantage of that.

And many people do scrub their .bash_histories, BTW.

> The real solution is to stop using known_hosts files. There are some
> patches floating around that do this for X.509 certs, and it's possible
> with GSSAPI already (I think...). It would be really nice to get LDAP or
> DNSSEC support, but I don't think there are current patches for either.

Actually, putting hashes in known_hosts is not a bad solution, at least
until everyone has his own CA or DNSSEC signing key.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>




More information about the openssh-unix-dev mailing list