OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: The problem with SSH2
From: Damien Miller (djmmindrot.org)
Date: Wed Dec 27 2000 - 21:05:19 CST

On Wed, 27 Dec 2000, Bram Cohen wrote:

> On Wed, 27 Dec 2000, Theodore Y. Ts'o wrote:
>
> > If after reading this, the user doesn't get an the idea, that user is an
> > idiot.
> >
> > Note further that openssh disables password authentication, so you have
> > to actively edit known_hosts or known_hosts2 in order get a valid login.
> > Someone who doesn't take steps to verify what's going on before they
> > override openssh is an abssolute idiot, and has probably used their
> > boy/girlfriend's name as their password, and/or used the same password
> > as the one they use on websites that use HTTP basic authentication over
> > unecrypted links, so they probably can be compromised 100 different
> > ways. :-)
> >
> > Getting comrpomised by a MITM attacker when using ssh is the least of
> > such a user/idiot's worries....
>
> My goal is to improve the use of cryptography in the world. Yours
> seems to be something else.

Do you have a rebuttal beyond the perjorative? Compared to unencrypted
systems, SSH is a dream and has already greatly improved "the use of
cryptography in the world".

If you want to make lusers safe against the blatant warning messages
that OpenSSH produces when confonted with a MITM situation, you need
only hardwire the configuration option "StrictHostKeyChecking" to
"yes", which will disconnect when host keys are not what they are
supposed to be.

> > > In the third place, if you're using RSA authentication
> > > (which is far more convenient since you don't have to keep
> > > typing your password), the effects of a MITM attack are much
> > > reduced.
> >
> > Hardly anyone ever does that. Whether they *should* is
> > irrelevant, they *don't*.
> >
> > Huh? In the circles I move around in, *everyone* uses RSA (or DSA)
> > authentication. It's more convenient; you don't have to type your
> > password over and over again. You just run ssh-add once when you login,
> > and after that, ssh-agent caches your decrypted private key for your
> > login session.
>
> I do that. I get the exact same warning message.

Yes - but now you cannot be MITM'd. For PK auth in SSH2 you are signing
data which includes the session identifier which is derived from the
DH key exchange between the client and the server.

If there is a MITM then the real client is going to have a different
session id taking to the MITM than the MITM is going to have in talking
to the real server. PK auth will fail with a bad signature.

-d 

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djmmindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org