Date: Wed, 2 May 2001 23:02:55 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Alex Popa <razor@ldc.ro> Cc: security@FreeBSD.org Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <Pine.NEB.3.96L.1010502230041.76222A-100000@fledge.watson.org> In-Reply-To: <20010501231616.A40227@ldc.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
I reported this to the openssh maintainers at least a year or two ago, and was told it was a "feature" -- intended to allow people to "ssh localhost" without getting key errors when using NFS mounted home directories. Personally, I consider a security "don't" for precisely the reason you identify, and on my personal machines, I tend to re-enable checking for 127.0.0.1. However, since SSH's public key file format doesn't include a port field, there's not really a great way to handle forwarding from different ports securely -- really, it would be nice if there was a way to say: ssh -p 5646 -usekeyfor fledge.watson.org localhost I.e., connect to localhost:5646, but use the host key associated with fledge.watson.org in the keys file. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 1 May 2001, Alex Popa wrote: > The reason why this bothers me is that I sometimes use ssh to tunnel ssh > connections (blowfish encryption in a 3DES tunnel, anyone?) to hosts I > cannot otherwise reach (ie non-routable address space, 192.168.0.0/16) > or to hosts which only accept connections from certain IPs. > > I do not sometimes fully trust the hosts I use as relays, so it would be > nice if SSH could show me the key fingerprint and let me decide if I > want to connect, not just accept any key. > > Example: > (setting up the support tunnel) > #ssh some.host.example.org -l me -C -L 222:192.168.1.2:22 > (connects OK) > (switch VT's) > # ssh 127.0.0.1 -v -C -l root -p 222 > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: ssh_connect: getuid 0 geteuid 0 anon 0 > debug: Connecting to (null) [127.0.0.1] port 222. > debug: Allocated local port 1015. > debug: Connection established. > debug: Remote protocol version 1.5, remote software version 1.2.27 > debug: no match: 1.2.27 > debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 > debug: Waiting for server public key. > debug: Received server public key (1152 bits) and host key (1024 bits). > --- > debug: Forcing accepting of host key for loopback/localhost. > --- > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > debug: Remote: Server does not permit empty password login. > debug: Doing password authentication. > root@127.0.0.1's password: > > As you can see from the separated line, ssh does not even ask if I want > to accept the key. If I set up a different tunnel, I get no warning > message about the key change. > > Is there a way to tell ssh to ask me about that key, and even keep > different keys in my known_hosts file, for example for 127.0.0.1, 127.1, > 127.0.1 (which are the same IP, but in different formats so I can store > the kays once, and then leave ssh to check if they are unchanged). > > [Sorry if I do not make a lot of sense, this has been a long day] > > Have Fun! > > ------------+------------------------------------------ > Alex Popa, | "Artificial Intelligence is > razor@ldc.ro| no match for Natural Stupidity" > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010502230041.76222A-100000>