Re: SSH Fingerprint Validation and Authentication

From: saifa (saifa@redneck.gacracker.org)
Date: 04/23/03 

Date: 23 Apr 2003 04:05:51 -0000
From: saifa <saifa@redneck.gacracker.org>

Per,

On Thu, 17 Apr 2003 21:52:57 +0000 (UTC), you wrote:
>
>
> In article <20030416015657.19627.qmail@gacracker.org> saifa
> <saifa@redneck.gacracker.org> writes:
> >
> >Let's say that a user connects to my machine for the first time using
> >SSH, and is presented with:
> >
> > [user@host user]# ssh host.domain.org
> > The authenticity of host 'host.domain.org (hhh.xxx.yyy.zzz)' can't be
> >established.
> > RSA key fingerprint is 5b:37:cf:68:84:57:6f:1c:27:0e:2a:ef:fd:52:10:49.
> > Are you sure you want to continue connecting (yes/no)?
> >
> >I understand that the error received if a key has *changed* will alert
> >the user to a possible compromise, but how does this initial warning
> >help? If the user contacts me and asks "what is your SSH RSA
> >fingerprint?," how does this help the user determine that the machine
> >hasn't been compromised?
>
> Surely you don't think that SSH can help you figure out if a host has
> been compromised? And of course that is not the purpose of the server
> authentication, it is to defend against a man-in-the-middle attack.
> I.e. if the user contacts you and asks for the fingerprint, and what you
> say agrees with what his client has printed, he can conclude that there
> is no man-in-the-middle, and not only continue with the session but also
> approve that his client saves the public key for future connections (so
> as to not have to call you on the phone every time:-).
>
> Likewise, the more severe warning/error you get when there is a mismatch
> with the previously saved key is due to this indicating that there may
> *be* a man-in-the-middle. In practice, the most common *actual* cause is
> that an ignorant admin has changed the remote host key (and this is most
> unfortunate) - but that is not what it is *intended* to detect (and I
> don't know why anyone compromising the host would go and change the host
> key...).

Thanks for the information. I was taking a different tack, and a
man-in-the-middle attack didn't spring to mind ... and of course I didn't
read the man page properly ;)

Thanks again
saifa

Relevant Pages

  • Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test
    ... determine weather the host was compromised or not. ... Subject: Crying wolf: False alarms hide attacks: Eight IDSs fail to ... > "We considered an attack to be any compromise of any computing resource on ...
    (Focus-IDS)
  • Re: looks like a worm to me.
    ... reporting the extent of *their* compromise. ... Drop a sniffer beside the host and then reboot ... Mind you that his *sniffer dump* has a bunch of information in it ... view of the fact he changed the root password. ...
    (comp.os.linux.security)
  • Re: rooted NT/2K boxen?
    ... host that displays no symptoms or characteristics of that situation. ... not an application, user, or even service level. ... ntrootkit is the only true rootkit for windows platforms ... sure there are plenty of ways to compromise a host, ...
    (Focus-Microsoft)
  • Re: Remote Desktop Security Question
    ... I was using RDC from work to access my PC at home until the net admins ... The question is, assuming the worst, could an RDC host possibly ... compromise an RDC client, assuming the host is compromised in some ... access to many client resources like registry, ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Session Hijacking
    ... compromise is a relative term in this case. ... DNS cache poisoning that redirects the attack to another hosts allowing for MITM. ... Subject: Session Hijacking ... attacker A has to compromise some host in host B's network in Ohio or at host C's network in Florida inorder to conduct MITM attack. ...
    (Security-Basics)