Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question on DNS spoofing and CheckHostIP

from [Robert Hajime Lanning] Network Security [Permanent Link]
Subject: Re: Question on DNS spoofing and CheckHostIP
Date: Wed, 11 Apr 2007 11:31:42 -0700
On 4/10/07, Jithesh Kaveetil <jitheshk@gmail.com> wrote: 
Consider this situation:
hostA is IP address is 1.2.3.4
known_hosts file in hostB has entry for hostA, as below:
hostA,1.2.3.4 ssh-rsa <key......>

From hostB, I execute
ssh myuser@hostA

Let us say, there is DNS spoofing and hence I get connected to a different host. 

DNS is spoofed, you get a different IP address.


ssh will try to search in the known_hosts for an entry corresponding
to hostA. It tries to match the key found with what was given by the
remote end. There is key mismatch and user is informed.
In such a case, regular host name checking was enough to detect the
DNS spoofing. The IP address check did not even come into picture.


You are missing the step of comparing the IP address you are connecting
to with the IP address listed in the known_hosts for the hostA entry.


If at all, the remote end had the correct keys, then both host name
and IP address check would have passed. Here, the IP address check
does not give any additional security.


So with CheckHostIP yes, The key and the IP must match the hostA
entry in the known_hosts, not just the key.


In summary, I am not able to understand the additional benefits in
doing 'CheckHostIP'.

Your comments on this would really help.

regards,
-Jithesh



--
And, did Galoka think the Ulus were too ugly to save?
                                        -Centauri

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Question on DNS spoofing and CheckHostIP, Jithesh Kaveetil
Next by Date:  sftp status error/status code, alan . cline
Previous by Thread:  Question on DNS spoofing and CheckHostIP, Jithesh Kaveetil
Next by Thread:  sftp status error/status code, alan . cline
Indexes:  [Date] [Thread] [Top] [All Lists]