stevedoria.net

Sure, traffic between an SSH client and server is enciphered, but how can certainty that the correct server is directly processing client requests be enhanced. A man in the middle attack occurs when an SSH server poses as the desired host, and forwards messages between the desired host and the client. The fake SSH server receives an enciphered message from the client that it can decipher, because the SSH server provides its own public key for the client to use. Then, the fake SSH server acts as a client to the desired SSH server, passing along messages to the desired server from the client. Respecting the fingerprint of a server’s public key helps minimize the efficacy of man in the middle attacks.

The following command gets the ssh key fingerprint on typical Unix-like system configurations:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

The SSH protocol was intended to use a certificate authority (CA) for ensuring that clients were connecting to the desired server. Many SSH server and client installations currently do not rely on a CA to identify each to the other. This is why the SSH server’s key fingerprint is as important as login and password information when given to remote users. Without a good certificate authority in place, users should disallow connections to servers with unrecognized keys, and manually insert the key fingerprints into applications such as Putty. When a message indicates that a connection cannot be made or that the key fingerprint has been changed, attempts to connect should be discontinued, and the server’s administrator should be notified immediately.

This entry was posted on Thursday, April 26th, 2007 at 11:10 pm and is filed under IT Administration, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.