From owner-freebsd-security  Tue May  1 22: 2:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 992CC37B424
	for <security@FreeBSD.ORG>; Tue,  1 May 2001 22:02:37 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 74178 invoked by uid 1000); 2 May 2001 05:00:46 -0000
Date: Wed, 2 May 2001 08:00:45 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Daniel Hagan <dhagan@colltech.com>
Cc: oldfart@gtonet.net,
	"security@FreeBSD. ORG" <security@FreeBSD.ORG>
Subject: Re: OpenSSH accepts any RSA key from host 127.0.0.1, even on non-default ports
Message-ID: <20010502080045.A73979@ringworld.oblivion.bg>
Mail-Followup-To: Daniel Hagan <dhagan@colltech.com>,
	oldfart@gtonet.net, "security@FreeBSD. ORG" <security@FreeBSD.ORG>
References: <BIEHKEFNHFMMJEKCDMLNMEEICIAA.oldfart@gtonet.net> <3AEF5699.9CE7939A@colltech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AEF5699.9CE7939A@colltech.com>; from dhagan@colltech.com on Tue, May 01, 2001 at 08:36:41PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, May 01, 2001 at 08:36:41PM -0400, Daniel Hagan wrote:
> Double encryption is only a big problem when done using the same cipher
> system (as I recall).  I suspect using different ciphers, as the
> original author indicated, would be fine.  
> 
> As far as the original question: Try setting StrictHostKeyChecking to
> 'yes' either in your configuration file or on the command line (with -o
> ...).  You'll have to manually update the known_hosts file when you
> change tunnels (or run ssh w/o the SHKC directive).  I suspect you could
> manually change the IP's in the known_hosts file to other 127.x.x.x ones
> as long as you remembered which IP went to which tunnel.  See ssh(1)
> manpage for more info.
> 
> I haven't tested this, so YMMV.

Actually, I don't think this will help; looking around lines 490-500 of
src/crypto/openssh/sshconnect.c, it seems the localhost check forces
acceptance of the key regardless of any options.  I just tested this,
and indeed, StrictHostKeyChecking has no effect on localhost connections :(

If the original poster took his fix from a newer OpenSSH source, then I guess
it will be imported into FreeBSD with the next OpenSSH import.

G'luck,
Peter

-- 
I had to translate this sentence into English because I could not read the original Sanskrit.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message