bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-14 22:39 UTC
[Bug 1489] New: ssh should normalize IP addresses before comparison
https://bugzilla.mindrot.org/show_bug.cgi?id=1489 Summary: ssh should normalize IP addresses before comparison Classification: Unclassified Product: Portable OpenSSH Version: 5.0p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: gst at sysfrog.org When using the ssh command to login to a host, ssh checks if the public key of this host is already known. However, when issuing an IP address instead of a hostname, ssh seems to do a string-based comparison of this IP address with the already known addresses. Example: -------- 8< -------- 8< -------- 8< -------- 8< -------- [gst at nano ~]$ ssh 10.0.0.3 Enter passphrase for key '/home/example/.ssh/id_rsa': ---> The client already knows the public key [gst at nano ~]$ ssh 10.00.0.3 The authenticity of host '10.00.0.3 (10.0.0.3)' can't be established. RSA key fingerprint is 4f:ab:6e:8a:0b:02:d0:32:18:a1:1c:00:2b:5c:f8:bd. Are you sure you want to continue connecting (yes/no)? ---> Another format for the same IP, the client does not recognize the IP -------- 8< -------- 8< -------- 8< -------- 8< -------- One scenario where this e.g. could lead to a security problem would be if: * An attacker sets up a man in the middle attack * The attacker somehow tricks someone to connect to the host using a slightly modified IP address It seems that "CheckHostIP" does NOT help, in the above scenario. I did not further look into this, but maybe ssh does not do the additional check of the hosts IP if an IP is given as argument. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-14 22:56 UTC
[Bug 1489] ssh should normalize IP addresses before comparison
https://bugzilla.mindrot.org/show_bug.cgi?id=1489 Guenther Starnberger <gst at sysfrog.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gst at sysfrog.org -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-26 00:34 UTC
[Bug 1489] ssh should normalize IP addresses before comparison
https://bugzilla.mindrot.org/show_bug.cgi?id=1489 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #1 from Damien Miller <djm at mindrot.org> --- So don't do that. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24 01:33 UTC
[Bug 1489] ssh should normalize IP addresses before comparison
https://bugzilla.mindrot.org/show_bug.cgi?id=1489 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:51 EST --- Move resolved bugs to CLOSED after 5.7 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.