Anti-MITMA method of Samy Kamkar
Nico Kadel-Garcia
nkadel at gmail.com
Thu Aug 4 13:14:24 EST 2011
On Wed, Aug 3, 2011 at 7:05 PM, U.Mutlu <um at mutluit.com> wrote:
> Hi, I wonder if OpenSSH has the following method
> against MITMA already implemented or not:
>
> "
> Anti-MITMA: Preventing Man in the Middle Attacks
>
> Code at http://samy.pl/anti-mitma.pdf
> I've described a simple method for authentication based protocols
> (e.g., ssh) to prevent man in the middle attacks. Rather than
> establishing a potentially MITMA'd connection, then authenticating,
> you can authenticate the initial key exchange. More details in the pdf.
> posted on october 15, 2009
> "
> (Found at http://samy.pl/code/ )
A lot of the more successful "man-in-the-middle" attacks against
OpenSSH or SSH are based on stealing the host keys of the server.
(This may be authorized in some environments.) And given the lack of
any authentication, or even expiration, of host keys themselves, I'm
unclear that this will prove a significant benefit in environments
where the client does not already have a valid host key saved. Would
they wind up being presented with an incorrect but consistent host key
in such a situation, one that most users would accept by default?
More information about the openssh-unix-dev
mailing list