Date: Tue, 1 May 2001 23:16:16 +0300 From: Alex Popa <razor@ldc.ro> To: security@FreeBSD.org Subject: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010501231616.A40227@ldc.ro>
next in thread | raw e-mail | index | archive | help
The reason why this bothers me is that I sometimes use ssh to tunnel ssh connections (blowfish encryption in a 3DES tunnel, anyone?) to hosts I cannot otherwise reach (ie non-routable address space, 192.168.0.0/16) or to hosts which only accept connections from certain IPs. I do not sometimes fully trust the hosts I use as relays, so it would be nice if SSH could show me the key fingerprint and let me decide if I want to connect, not just accept any key. Example: (setting up the support tunnel) #ssh some.host.example.org -l me -C -L 222:192.168.1.2:22 (connects OK) (switch VT's) # ssh 127.0.0.1 -v -C -l root -p 222 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to (null) [127.0.0.1] port 222. debug: Allocated local port 1015. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.2.27 debug: no match: 1.2.27 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (1152 bits) and host key (1024 bits). --- debug: Forcing accepting of host key for loopback/localhost. --- debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Remote: Server does not permit empty password login. debug: Doing password authentication. root@127.0.0.1's password: As you can see from the separated line, ssh does not even ask if I want to accept the key. If I set up a different tunnel, I get no warning message about the key change. Is there a way to tell ssh to ask me about that key, and even keep different keys in my known_hosts file, for example for 127.0.0.1, 127.1, 127.0.1 (which are the same IP, but in different formats so I can store the kays once, and then leave ssh to check if they are unchanged). [Sorry if I do not make a lot of sense, this has been a long day] Have Fun! ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010501231616.A40227>