more SSH MITM
Eric Murray
ericm at lne.com
Sat Sep 6 08:17:57 PDT 2003
On Fri, Sep 05, 2003 at 08:25:50PM -0700, James A. Donald wrote:
> Eric Murray:
> > > > ..which means that it [ssh-- ericm] still requires an OOB
> > > > authentication. (or blinding typing 'yes' and ignoring
> > > > the consequences). But that's another subject.
>
> James A. Donald:
> > > Not true. Think about what would happen if you tried a
> > > man in the middle attack on an SSH server.
>
> On 5 Sep 2003 at 10:47, Eric Murray wrote:
> > you'd get the victim's session:
>
> No you will not, because the "victim"'s ssh client will
> immediately detect that the uncertified public key is different
> from the last time he logged in
By checking the key against the IP address of the server.
This is easily spoofed. The links I included in my last post
pointed to a tool to do just that (plus MITM the ssh protocol).
But even worse, there is no way to ensure that the key
the client has is really the server's key in the first place.
The client gets that key the first time it connects....the
user is shown a fingerprint of the key and asked to
type 'yes' if the user thinks that it's the server's key.
What the user is supposed to do here is to have obtained
the key or its fingerprint in a secure fashion outside
the ssh protocol. But very few people do. They
just type 'yes' and accept it. Hence my original statement.
This makes a MITM attack easy, the attacker simply needs to have his
attack in place when the victim expects the server to have a new key.
He gives his key in place of the servers key, the victim never checks,
and away we go.
Certificates have their own problems, but bare public keys are weak
unless your system provides a good useable OOB authentication.
SSH as normally used doesn't.
Eric
More information about the cypherpunks-legacy
mailing list