Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SSH & xauth
From: provos () CITI UMICH EDU (Niels Provos)
Date: Mon, 28 Feb 2000 18:03:03 -0500


Hi Robert,

This thread was about how default configurations can have negative
impact on security. You mention the CheckHostIP option in OpenSSH.
CheckHostIP defaults to 'yes'.  It introduces only additional checks
and has not influence on permitting an SSH session to proceed. Thus it
has no negative impact on your system security.

I do not agree with your assumption that most SSH servers use dynamic
IP addresses.  I believe that for the majority of users the contrary
is true.  However, if you are in an environment with dynamic IP
addresses, you can turn the CheckHostIP option off.

In message <Pine.NEB.3.96L.1000225211428.18984A-100000 () fledge watson org>, Robe
rt Watson writes:
You can even imagine DNS-based spoofing causing some problems, if combined
with IP spoofing, as ssh-by-ip to a spoofed host would not generate an
unknown key warning, instead, it would connect with full trust.  This
attack is a little of a stretch on convenience for the attacker, but is
feasible.
This is not true.  If you did not authorize a (canonical hostname,
public key) binding [by inserting it into OpenSSH's knownhosts file],
you will always get a warning.  Please verify your facts before you
post.

If you have questions about OpenSSH in the future, you can reach us at
openssh () openssh com 

Greetings,
 Niels.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]