SSH Security: Is this not news?

Eric Lee Green plug-discuss@lists.plug.phoenix.az.us
Wed, 18 Dec 2002 10:17:53 -0700


On Wednesday 18 December 2002 09:40 am, J.Francois wrote:
> I was pretty busy yesterday so if this was posted just ignore me.
> If it wasn't posted, then its a good heads up.
>
> Cert SSH Advisory - All Versions on All Platforms:
> http://www.cert.org/advisories/CA-2002-36.html
> http://www.kb.cert.org/vuls/id/389665

This is basically a man-in-the-middle attack at initial key chat. Anybody who 
knows anything about cryptography and how SSH handles initial key chat knows 
that there is a vulnerability there. That's why Red Hat has SSH configured to 
tell you when you're doing initial key chat. This is not exploitable except 
during the narrow window of vulnerability that you're establishing the 
initial keys with a target, and in my opinion is an acceptable risk on the 
typical network.

In short, it's not news -- those of us in the security industry have known of 
this issue for decades (ever since the original Diffie-Hellman public key 
exchange algorithm was introduced in the late 70's), and thus why it's not 
getting much press. 

-- 
Eric Lee Green          GnuPG public key at http://badtux.org/eric/eric.gpg
          mailto:eric@badtux.org  Web: http://www.badtux.org