I reported a bug recently to the debian bug tracking system but I just checked this mailing list and it seems it was already mentioned here. However the thread seemed to have died. This is worrisome because it's rather a severe security vulnerability. OpenSSH seems to have changed behaviour to canonicalize host names _before_ looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE. This sounds like someone applied a blanket security rule-of-thumb without understanding the rationale behind the rule. (What's worse is that canonicalizing host names doesn't really buy any security in the general case but that's another battle.) Canonicalizing names provided by untrusted sources is reasonable because it prevents untrusted sources from being able to provide aliases that might escape treatment by some security provision. Canonicalizing names provided by the user before checking the known_hosts file means you're opening the user up to additional attacks where he might not even be connecting to the host he requested! Incidentally, my original debian bug report was that SSH should use the hostname/port pair as the key for known_hosts, not merely the hostname. Since each port could run an sshd with a different key. I would actually like an option in .ssh/config to specify the known_hosts key explicitly rather than use the hostname and ip address. -- greg
On Mon, Oct 02, 2000 at 10:57:53PM -0400, Gregory Stark wrote:> OpenSSH seems to have changed behaviour to canonicalize host names _before_ > looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE.Thank you for bringing this up again. I'm disappointed that this wasn't addressed last time. Is there another forum for security issues with openssh? Should I contact OpenBSD? One of the strong points of ssh (emphasized since the earliest versons I ever used) is resistance to DNS spoofing. This principle seems to have been disregarded in this case. Since nobody identified any purpose for host name canonicalization, I suggest simple deleting the code I referred to.> Incidentally, my original debian bug report was that SSH should use the > hostname/port pair as the key for known_hosts, not merely the hostname. Since > each port could run an sshd with a different key. I would actually like an > option in .ssh/config to specify the known_hosts key explicitly rather than > use the hostname and ip address.You must like typing ;) Andrew