Hello List, the manpage of ssh_config describes the option CheckHostIP which is enabled by default. The description tells, that this option can protect from dns-spoofing attacks. I just wondered how a dns-spoofing attack to ssh could work in general? if i ssh to a machine: ssh host1 the ssh client will resolve the ip of host (could be dns, depends on resolv.conf), connects to the host and checks the hostkey of host1 against /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts. If someone manages to give me a wrong ip for host1 and i connect to this fakehost ssh should complain about the wrong hostkey... Why do i need some kind of extra dns-spoofing protection? regards Frank
Hallo Frank, On Thursday 30 March 2006 10:28, Moskito wrote:
the manpage of ssh_config describes the option CheckHostIP which is enabled by default. The description tells, that this option can protect from dns-spoofing attacks.
I just wondered how a dns-spoofing attack to ssh could work in general? if i ssh to a machine: ssh host1 the ssh client will resolve the ip of host (could be dns, depends on resolv.conf), connects to the host and checks the hostkey of host1 against /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts. If someone manages to give me a wrong ip for host1 and i connect to this fakehost ssh should complain about the wrong hostkey... Why do i need some kind of extra dns-spoofing protection?
Because the next two statements are not equivalent: - The well-known IP address for a domain name has changed - The SSH server identification has changed Nevertheless, in most DNS spoofing attacks both cases will occur, as you have mentioned. Cheers, Andreas
On Thu, Mar 30, 2006 at 10:28:02AM +0200, Moskito wrote:
Hello List,
Hello.
I just wondered how a dns-spoofing attack to ssh could work in general?
It's useful when using Rhosts authentication which do not use any crypto
but mimics the Berkley r-commands.
Note: Do NOT use Rhosts authentication. ;)
--
Bye,
Thomas
--
Thomas Biege
participants (3)
-
Andreas Gaupmann
-
Moskito
-
Thomas Biege