nanog mailing list archives

Re: beware: being old sucks

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Sun, 31 Aug 2025 12:32:21 -0400


Dan, good point about Cisco IOS's implementation of ssh pubkey storage.



Respectfully, it is not a good point. It is not correct. Cisco IOS , like
anything else doing public-key auth on SSH, does store the public keys. It
has to, otherwise SSH could not work. The fingerprints are used to IDENTIFY
the public key to be used, not to REPLACE it.


Indeed, Cisco's implementation is not great.


Foundational design of public key cryptography is that the public half of
the keypair is , well, public. That also means that any derivative from a
standard hashing function of it is also public.

- Alice creates keypair. Gives the public key to Bob.
- In transit to Bob, Eve sees the complete public key.
- Eve now has the public key, and can calculate it's MD5 / SHA-*
fingerprints all they want.

But again , what happens if Eve tries to USE the information she has to
pretend to be Alice?
- Eve attempts to SSH to Bob, using Alice's key fingerprint.
- Bob matches the fingerprint to Alice's public key, generates the
challenge, encrypts with Alice's public key, and sends it back to Eve.
- Even cannot decrypt the challenge , because she does not have Alice's
private key. The challenge fails, the connection is closed.

It doesn't matter if Cisco calculates the fingerprint from MD5, SHA-256, or
Wingdings. ( Sidebar : It can't actually use Wingdings.) Fingerprints are
just pointers to the actual key material that is to be used for the
authentication parts, and hashing them to something shorter just reduces
processing time to get there, with no loss of security.

On Sun, Aug 31, 2025 at 11:37 AM Liudvikas Bukys via NANOG <
nanog () lists nanog org> wrote:

Dan, good point about Cisco IOS's implementation of ssh pubkey storage.
One typo in your Medium article: You typed 'You’ve “uploaded” your private
key', you meant 'You’ve “uploaded” your public key'.

Indeed, Cisco's implementation is not great.  A quick fix for them (while
still conserving storage) would be to store a salted hash instead, and
while they're at it, make it SHA instead of MD5.

On Sun, Aug 31, 2025 at 5:40 AM Dan Mahoney via NANOG <
nanog () lists nanog org>
wrote:

Randy,

Something else I recently discovered that relates to this issue:

I think there’s a serious flaw in the way ssh key hashes are done on IOS.
I’ve been in touch with Cisco CSIRT about it, and they’ve approved
publication, but in short, if you’re using pubkey auth to a cisco device,
you might want to rethink it.

Short version: Unlike normal pubkeys, IOS only stores an md5 hash of your
key to auth against, and you can thus use any key that matches that hash.
Which an attacker now has.

https://gushi.medium.com/what-i-learned-from-configuring-ssh-pubkey-auth-on-cisco-ios-cbeb1e5b3b77


(should not be paywalled, email me privately if it is)

On Aug 30, 2025, at 11:30, Randy Bush via NANOG <nanog () lists nanog org


wrote:


a fellow nanogger wrote:

I've only *just* gotten to the note from a week or more ago.

   + tftp-server nvram:startup-config          <<<<<<======
     snmp-server community foo 98
     snmp-server trap-source Vlan1
     snmp-server location Ashburn VA US


I, too, got this from a RANCID setup I built a long time ago.

and here is the talos report, thanks joe

  https://blog.talosintelligence.com/static-tundra/

set `no vstack` in config.  no, that is not the default.


I'd told the owner that I didn't think he had control of his gear
anymore, but this helped me to convince him to put a new switch in.


moving this to nanog because i did not elaborate on a critical point.

when you get this, presume the config of this trivial ancient devic has
been snatched.  did the device have any burned in users, a la

    username foo privilege 15 password 7 bar

and that uid/pass is used on other, presumably more modern, devices,
you need to change the passwords everywhere.

same for other credentials, snmp, bgpmd5, ...

randy
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/


_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FKCDTX5WO74LJBAE5DDNDBW3V7J76AB7/
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/OQDHFFJ4UUTAWJ7LWOBBUDNCFPQN62CW/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SJV75EK2XMVPICAWKFDIF47EWAOYCEI2/

Current thread:

Re: beware: being old sucks, (continued)
- - - Re: beware: being old sucks borg--- via NANOG (Aug 31)
    - Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)
    - Re: beware: being old sucks Dan Mahoney via NANOG (Aug 31)
    - Re: beware: being old sucks brent saner via NANOG (Aug 31)
    - Re: beware: being old sucks Seth David Schoen via NANOG (Aug 31)
    - Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)
    - RE: beware: being old sucks Gary Sparkes via NANOG (Aug 31)
    - Re: preimage and collision attacks nanog--- via NANOG (Aug 31)
    - Re: beware: being old sucks nanog--- via NANOG (Aug 31)
    - Re: beware: being old sucks Liudvikas Bukys via NANOG (Aug 31)
    - Re: beware: being old sucks Tom Beecher via NANOG (Aug 31)
    - Re: MD5 is insecure nanog--- via NANOG (Aug 31)
    - Re: MD5 is insecure Dan Mahoney via NANOG (Aug 31)
    - Re: MD5 is insecure Pedro Prado via NANOG (Aug 31)
    - Re: MD5 is insecure Krassimir Tzvetanov via NANOG (Aug 31)
    - Re: MD5 is insecure brent saner via NANOG (Aug 31)
    - Re: MD5 is insecure Tom Beecher via NANOG (Aug 31)
    - Re: MD5 is insecure brent saner via NANOG (Aug 31)
    - Re: MD5 is insecure Seth David Schoen via NANOG (Aug 31)
    - Re: MD5 is insecure nanog--- via NANOG (Aug 31)