APLawrence - Information and Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds Get APLawrence.com by RSS











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > Forum > SSH Risk from known_hosts?
Printer Friendly Version



SSH Risk from known_hosts?




Author: TonyLawrence
Date: Wed May 18 11:51:50 2005
Subject: SSH Risk from known_hosts?

Copyright May 2005 TonyLawrence

An MIT researcher thinks there is a big problem in ssh: http://www.techworld.com/security/news/index.cfm?NewsID=3668

I don't see it. This whole concept starts with a compromised machine. Duh: when a machine is compromised, all sorts of information about other machines it knows about is exposed. Getting the public keys from known_hosts isn't particularly useful in itself; public keys are, after all, *public* keys. Much more dangerous is the exposure of the private key counterparts. Combine the two, and yes, you may have a easy path to another machine.

I get the sense that what they are really talking about here is the danger from distributed credentials, a subject we've touched on here more than once: making it easy for the pointy eared boss and the other technically inept folk always affects security, and ssh is no different in that regard.








Maybe I'm missing something, but to my mind, a compromised box presents risk to other machines for a lot of reasons, and ssh is just one, and even that isn't necessarily an issue if you don't have other machines accepting public key authentication.


If this page was useful to you, please click to help others find it:  

Your +1's can help friends, contacts, and others on the web find the best stuff when they search.

8 comments




More Articles by Tony Lawrence - Find me on Google+



Click here to add your comments




Thu May 19 12:58:31 2005:   drag


I think specificly about the known hosts is that it allows a attacker to find out what the identification keys are for commonly used servers then be able to use that information to setup a fake server, thru a dns spoof or something like that, were a person's client would think that it's the normal ssh server because the identifaction information is correct.

It's sort of like the SSL thing were your browser will tell you if your server your logged into has the correct credintials, except with ssh this 'flaw' can be used to create fake credintials so that you may end up trusting the server when you realy shouldn't. You ssh in, the client checks the known_hosts file, finds out that it is correct, and you give it your password and now your account has been comprimised.

It's a small flaw, and would be immaterial by itself, but combined with other flaws.. like a incorrect DNS setup and readable home directories it can cause issues. But like they said, it's going to be fixed in ssh version 4





Thu May 19 19:45:33 2005:   TonyLawrence

gravatar
You need the private key too.. but if the machine has been hacked, that's probably easy enough. I just don't understand why make a big fuss about readable known_hosts on a hacked machine??



Thu May 26 00:00:12 2005:   anonymous


You are using passphrases aren't you? With this added feature. (that takes more effort to ignore than use.) even if the black hat has pub and private versions of the key he/she is still missing the final key to being able to use them. The passphrase.







Thu May 26 00:02:51 2005:   TonyLawrence

gravatar
Exactly. So what am I missing? Or is this maybe a Microsoft FUD piece?



Tue Jun 21 15:27:17 2005:   anonymous


"Pointy eared boss"? Sounds like an unholy cross-breeding of Dilbert with Star Trek. And I stress the word UNHOLY. Ugh.



Wed Jun 22 20:33:16 2005:   TonyLawrence

gravatar
Put stuff in my head and you never know what will come out.. :-)

Yes, I was thinking of Dilbert but somehow got Spock's ears mixed in.. a mind is a terrible thing to have..



Fri Jan 12 04:47:54 2007:   geofftatmitedu


Um. The problem he's describing is that they know what hosts to spend their time brute-forcing. It simply reveals the names and IPs of the hosts, not anything cryptographically important. (Indeed, the public key in theory cannot be used to compromise the server's private key.)

If hackers start port-scanning and find that linux.mit.edu runs SSH, they'll perhaps try root and guest and perhaps common names like joe and fred, and then give up (since none of those usernames exist, IIRC). But if they root my laptop, and see that my username is geofft, they'll try brute-forcing the account named geofft and use that to get a shell on the second target. And even if they don't see geofft (my local account is geoffrey), they'll know that linux.mit.edu is a worthwhile target with some number of usernames, and perhaps scour more to guess at some usernames to use.

So 1) they know what some real SSH servers are, and 2) they know where these servers are accessed from (and usually have root on the machines accessing them), which gives them quite a bit of info to work from.



Fri Jan 12 10:05:35 2007:   TonyLawrence

gravatar
But again, that's not a weakness in ssh.

A compromised machine is dangerous. That's like saying your car is dangerous if someone steals it. Sure, it is, but because it's been stolen, not otherwise (weak analogy(.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar



LOD Communications, Inc.

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.


My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide


more » HubPages


 I sell and support
 Kerio Mail server
pavatar.jpg
Linux posts
Mac OS X posts
Shell scripting posts
Troubleshooting posts

This post tagged:

       - Forum
       - SSH




Unix/Linux Consultants

Skills Tests

Guest Post Here