FAS and public Key auth

[Mike McGrath]

On Thu, 22 May 2008, Till Maas wrote:

> On Thu May 22 2008, Mike McGrath wrote:
>
> > Now, I've never actually done this.  It's just my understanding that it'd
> > work that way.  If you had root on a box and I sshed there with my ssh
> > key, would you not have access to take the key and log in to other boxes
> > as me?
> >
> > So my question is, is this a real risk or is there a precaution in SSH
> > preventing the attack i'm describing (basically a man in the middle type
> > attack)
>
> Afaik this attack is not possible with ssh because a user signs some
> information that is unique to the current session and contains among other
> things a hash of the host key that the user wants to login to.
>

Yeah, I've been talking with someone in #openssh as well.  My
understanding of how openssh auth is happens basically like this (sorry
I'm not going to take the time to diagram this even though thats what it
really needs)

Client tries to ssh to Server A

Server A generates a random number, encrypts it with pub, sends it to the
client

The client decrypts this number with private key and sends it back to A.

Bam!  Shell.


Here was my concern.

Client tries to ssh to untrusted Server B (with hacked ssh server)

Server B tries to ssh to Server A as the client user.

Server A generates random number, encrypts it with pub, sends it to B.

Server B doesn't know what the number is so it sends that encrypted
payload to the client.

The client decrypts this number with private key and sends it back to
Server B.

Server B sends this number back to Server A.

Server A allows shell to server B as client user.

Server B allows shell to client user.

client doesn't realize what just happened as it went very quick.


The guys in #openssh are saying this isn't possible but I wasn't convinced
with their reason (basically that server B doesn't have server A's
host keys).  Can someone else explain why the above isn't possible?

	-Mike