On Fri, Sep 05, 2003 at 08:25:50PM -0700, James A. Donald wrote:
Eric Murray:
..which means that it [ssh-- ericm] still requires an OOB authentication. (or blinding typing 'yes' and ignoring the consequences). But that's another subject.
James A. Donald:
Not true. Think about what would happen if you tried a man in the middle attack on an SSH server.
On 5 Sep 2003 at 10:47, Eric Murray wrote:
you'd get the victim's session:
No you will not, because the "victim"'s ssh client will immediately detect that the uncertified public key is different from the last time he logged in
By checking the key against the IP address of the server. This is easily spoofed. The links I included in my last post pointed to a tool to do just that (plus MITM the ssh protocol). But even worse, there is no way to ensure that the key the client has is really the server's key in the first place. The client gets that key the first time it connects....the user is shown a fingerprint of the key and asked to type 'yes' if the user thinks that it's the server's key. What the user is supposed to do here is to have obtained the key or its fingerprint in a secure fashion outside the ssh protocol. But very few people do. They just type 'yes' and accept it. Hence my original statement. This makes a MITM attack easy, the attacker simply needs to have his attack in place when the victim expects the server to have a new key. He gives his key in place of the servers key, the victim never checks, and away we go. Certificates have their own problems, but bare public keys are weak unless your system provides a good useable OOB authentication. SSH as normally used doesn't. Eric