[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] dns-Spoofing and ssh?



Hallo Frank,

On Thursday 30 March 2006 10:28, Moskito wrote:
> the manpage of ssh_config describes the option CheckHostIP which is
> enabled by default.
> The description tells, that this option can protect from dns-spoofing
> attacks.
>
> I just wondered how a dns-spoofing attack to ssh could work in general?
> if i ssh to a machine:
> ssh host1
> the ssh client will resolve the ip of host (could be dns, depends on
> resolv.conf), connects to the host and checks the hostkey of host1
> against /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts.
> If someone manages to give me a wrong ip for host1 and i connect to this
> fakehost ssh should complain about the wrong hostkey...
> Why do i need some kind of extra dns-spoofing protection?
>
Because the next two statements are not equivalent:
- The well-known IP address for a domain name has changed
- The SSH server identification has changed

Nevertheless, in most DNS spoofing attacks both cases will occur, as you have 
mentioned.

Cheers,
Andreas

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here