SSH Security: Is this not news?
Eric Lee Green
plug-discuss@lists.plug.phoenix.az.us
Wed, 18 Dec 2002 10:17:53 -0700
On Wednesday 18 December 2002 09:40 am, J.Francois wrote:
> I was pretty busy yesterday so if this was posted just ignore me.
> If it wasn't posted, then its a good heads up.
>
> Cert SSH Advisory - All Versions on All Platforms:
> http://www.cert.org/advisories/CA-2002-36.html
> http://www.kb.cert.org/vuls/id/389665
This is basically a man-in-the-middle attack at initial key chat. Anybody who
knows anything about cryptography and how SSH handles initial key chat knows
that there is a vulnerability there. That's why Red Hat has SSH configured to
tell you when you're doing initial key chat. This is not exploitable except
during the narrow window of vulnerability that you're establishing the
initial keys with a target, and in my opinion is an acceptable risk on the
typical network.
In short, it's not news -- those of us in the security industry have known of
this issue for decades (ever since the original Diffie-Hellman public key
exchange algorithm was introduced in the late 70's), and thus why it's not
getting much press.
--
Eric Lee Green GnuPG public key at http://badtux.org/eric/eric.gpg
mailto:eric@badtux.org Web: http://www.badtux.org