[NTLUG:Discuss] another question on ssh and mobility

Chris Cox cjcox at acm.org
Mon Sep 9 11:55:33 CDT 2002 

Fred James wrote:
> On the security side, let me run this past you and see what you think:
> 
> (1) Anyone with the host name/IP and an ssh client can initiate a 
> connection attempt.

On most default configs of SSH probably.  But it's configurable.
I usually disallow connections as much as I can... by IP (if possible),
then by username (which I highly recommend).  Many ssh's are
tcpwrapper enabled as well.. providing that functionality.. just
not sure what extras (besides centralized style of admin) it
will buy you (maybe some logging niceties).

> (2) If the client computer has never gotten a key from that host before, 
> one will be offered.
> (3) If the client accepts the key, and keeps it somewhere, subsequent 
> connection attempts to the same host will not go through the key 
> offering sequence.

In Linux (I know a lot of this has been about Windows), you'll see
this in your ~/.ssh/known_hosts file.  However, the keys are checked
everytime to prevent a "man-in-the-middle" kind of attack...  obviously
if a machine "looks" the same (including host key,name and IP)... then
you are correct, it is allowed.

> (4) The offer of a key is the hosts asking the client if the client 
> trust the host, or trust that this is indeed the host the client wants 
> to trust
> (5) That done, the session(s) is(are) encrypted, and then it is up to 
> the login/password to insure that only the proper users have access.

Well... you can tunnel clear text passwords though the host keyed
session established... or better, use a passphrase user key for
authentication.

> 
> Right so far?
> 
> Now, the key is being stored somewhere on that client computer - so I 
> assume that someone could find the key - is that right?  If so, of what 
> value would it be to that someone?  Of what danger could it be to the 
> either the client, or host, computer for that key to be found by someone?

Finding the key would allow you to at least APPEAR to be the SSH host
in question (the host key).... if you can also look like the same host,
name and IP wise.  Of course, a lot of people change their host key...
(usually out of ignorance I'm afraid), so many don't think twice of
the "man-in-the-middle" attack warning....of course if the host is
being NAT'd, its IP is changing a bunch (maybe), so again, you'll get
the "man-in-the-middle" attack warning.  I can't remember, but the
warning message probably differs.  There are some configuration switches
which you can use to turn the "warning" into an "error".

So... I would protect the host keys as well as the user's keys.
Even the public keys could be abused if a break-in occurs.

> 
> 
> Sean Cook wrote:
> 
>> On my Win2K box...
>>
>>  HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\
>>    ->  Sessions
>>    ->  SshHostKeys
>>
>>  and one other location...
>>
>> Cheers,
>> Sean
>>
>

More information about the Discuss mailing list