the SSH worm thing
Tomas Mraz
tmraz at redhat.com
Wed May 11 17:47:45 UTC 2005
On Wed, 2005-05-11 at 13:34 -0400, Alan Cox wrote:
> On Wed, May 11, 2005 at 10:04:12AM -0700, Florin Andrei wrote:
> > http://www.schneier.com/blog/archives/2005/05/the_potential_f.html
> >
> > I can't test it right now, but i wonder - what's the default setting on
> > FC4, hash the hosts or not?
No, it's currently left as default which means no hashing of known
hosts.
> I'm not convinced it helps very much. I'll just read every .history file on
> your machine and hash the hostnames I find in that against the database. I'd
> also try cvs based attacks by using the keys that work and appear to be for
> cvs stuff to automate pushing updated autoconf scripts into every cvs I can
> 'fix'.
>
> There are just far too many other ways to identify an ssh host entry/key and
> to then use that the same way the analysed user has.
Also if the attacker could read the known_hosts file he could also
change the user's environment so it instead of ssh calls a malicious
script/binary which would log user's credentials and only then called
the real ssh binary.
--
Tomas Mraz <tmraz at redhat.com>
More information about the fedora-devel-list
mailing list