Date: Wed, 2 May 2001 08:00:45 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Daniel Hagan <dhagan@colltech.com> Cc: oldfart@gtonet.net, "security@FreeBSD. ORG" <security@FreeBSD.ORG> Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports Message-ID: <20010502080045.A73979@ringworld.oblivion.bg> In-Reply-To: <3AEF5699.9CE7939A@colltech.com>; from dhagan@colltech.com on Tue, May 01, 2001 at 08:36:41PM -0400 References: <BIEHKEFNHFMMJEKCDMLNMEEICIAA.oldfart@gtonet.net> <3AEF5699.9CE7939A@colltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 01, 2001 at 08:36:41PM -0400, Daniel Hagan wrote: > Double encryption is only a big problem when done using the same cipher > system (as I recall). I suspect using different ciphers, as the > original author indicated, would be fine. > > As far as the original question: Try setting StrictHostKeyChecking to > 'yes' either in your configuration file or on the command line (with -o > ...). You'll have to manually update the known_hosts file when you > change tunnels (or run ssh w/o the SHKC directive). I suspect you could > manually change the IP's in the known_hosts file to other 127.x.x.x ones > as long as you remembered which IP went to which tunnel. See ssh(1) > manpage for more info. > > I haven't tested this, so YMMV. Actually, I don't think this will help; looking around lines 490-500 of src/crypto/openssh/sshconnect.c, it seems the localhost check forces acceptance of the key regardless of any options. I just tested this, and indeed, StrictHostKeyChecking has no effect on localhost connections :( If the original poster took his fix from a newer OpenSSH source, then I guess it will be imported into FreeBSD with the next OpenSSH import. G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010502080045.A73979>