Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: known_hosts vulnerability?

from [Damien Miller] Network Security [Permanent Link]
Subject: Re: known_hosts vulnerability?
Date: Thu, 19 May 2005 08:02:47 +1000
Gabriel M. Elder wrote: 
Hey all,

I came across a security news article, referenced by
http://www.linux.org/news, at

http://www.techworld.com/security/news/index.cfm?NewsID=3668

talking about an SSH weakness involving the known_hosts file. I
apologize if this issue has already been addressed, but the mailing list
archives didn't turn up anything when i tried searching for something
relevant. So; not to knee-jerk or anything, but is anyone currently
looking into this? Does this need to be addressed, or has it already
been taken care of? Offhand, on a scale of 0 - 11, this would seem to
rate kinda high, ~7. Am i off-base?


It is a problem mainly for large educational facilities and labs, where
users use weak authenticators (same passwords, password-less public
keys, etc) on multiple hosts. In these cases, an attacker (or their
worm) could use the known_hosts file as a hit-list of other hosts to
try.

I think some of the publicity is a little overblown because the same
information is available from many other sources: shell histories,
netstat or ps output, etc. Furthermore, if an account is already
compromised, then there are far more effective ways for a worm to gain
access to other accounts (e.g. fudge $PATH to contain a trojan ssh that
steals account/password/host information directly).

Anyway, we implemented the HashKnownHosts (see "man ssh") to address
this. Admins should be aware that this doesn't make the problem go away,
but it does make the attack harder (hopefully too hard for a worm).

From the article: "a known_hosts hashing scheme proposed by MIT has been 
implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH".
Looking at my own ~/.ssh/known_hosts file, the entries appear to be
encrypted, by default; i assume this is a Good Thing. Installed ssh
package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies
and assume all is snug and secure in openssh-land?


No - unless your admins have modified 3.9p1 for you, your file probably
looks like:

hostname ssh-rsa AAAAAPO7JD765SPF2OJ337FSAPSO...

This change is about hashing "hostname" so noone can tell what hosts you
have visited.

-d

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  known_hosts vulnerability?, Gabriel M. Elder
Next by Date:  Re: OpenSSH 4.0p1 ignores password authentication, Michael Tross
Previous by Thread:  known_hosts vulnerability?, Gabriel M. Elder
Next by Thread:  workarounds for Host param not canonicalizing?, Ryan Barrett
Indexes:  [Date] [Thread] [Top] [All Lists]