Regarding Pubkey Enumeration

[Damien Miller]

On Sat, 21 Jan 2012, ?ngel Gonz?lez wrote:

> Isn't that public key also sent in SSH2_MSG_USERAUTH_REQUEST?

That's the packet that contains the public key when authenticating or
testing whether a key has a chance of being accepted.

> When you connect to a low-trust server, it could be enumerating the presented
> public key identities, and then testing if any of those is accepted by a
> target server.

First, this attack would work without public key confirmation. Your client
would still need to try every key that it knows about to connect, and your
compromised server would have the same opportunity to collect them. The
most that turning off key compromisation might buy you in this situation
is to provide a little more pressure on users who need to enter PINs or
use key confirmation ("ssh-add -c") to explicitly configure which keys
are used by annoying them with more PIN/confirm dialogs.

You can already limit which identities are used in public key authentication
by setting IdentityFile(s) for a particular host. If you don't like the idea
of keys in your agent being sprayed around, then the mechanism already exists
to avoid it.

> Suppose that there is a page critizising a technologic company, which
> suspects it's run by one of its multiple employees. The company could
> test the server with the public keys of their employees until it finds
> one that matches. Even if he used a different public key, the company
> server could fetch keys not copied to it from the user agents to find
> it out (this assumes the username is known and IdentitiesOnly wasn't
> set).

If the company has access to the user's ssh-agent then it is game
over anyway - they have the private keys. 

-d