On Wed, 2005-05-11 at 19:47 +0200, Tomas Mraz wrote: > On Wed, 2005-05-11 at 13:34 -0400, Alan Cox wrote: > > On Wed, May 11, 2005 at 10:04:12AM -0700, Florin Andrei wrote: > > > http://www.schneier.com/blog/archives/2005/05/the_potential_f.html > > I'm not convinced it helps very much. I'll just read every .history file on > > your machine and hash the hostnames I find in that against the database. Right, but the entries in the .history files are typically short-lived, while the ones in known_hosts are, more or less, forever. I just verified my .bash_history file and it has 10 different addresses/hostnames that i ssh'ed to. known_hosts has 40. That's approx. halfway through to the next order of magnitude. And i'm using ssh quite a lot. Slowing down the attack vector by (almost) an order of magnitude is no small feat - i bet you it translates into many orders of magnitude in the difference between the population exhaustion times. Agree, it depends on a multitude of factors, but it could be the difference between a malware that takes the Internet by storm, and a moderate infection that can be contained. > > There are just far too many other ways to identify an ssh host entry/key and > > to then use that the same way the analysed user has. True, but there's no universal cure for anything. You gotta take a first step somewhere. This first step is practically gratis. > Also if the attacker could read the known_hosts file he could also > change the user's environment so it instead of ssh calls a malicious > script/binary which would log user's credentials and only then called > the real ssh binary. Correct, but the hash-armoured known_hosts file has the purpose to stop a potential SSH worm from spreading like wildfire: infect a machine, then in a few seconds infect a dozen more, repeat. It's the same exponential growth mechanism that made so dangerous some Outlook malware that were able to read the address book. The mechanism you describe is entirely different, it's an altogether different attack. -- Florin Andrei http://florin.myip.org/ -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
