ssh man-in-the-middle

naomi · 05-19-2005, 09:57 AM

pls help me!!.. an acquaintance used ssh login to victimize me in a man-in-the-middle attack. i know it was just for fun but is there some way i could protect myself from it or better yet maybe teach me how to do it

i know this is out of character... but i want revenge

i'm currently using fedora core 3 in a small network of around 16 computers

i looked around the net trying to figure out man-in-the-middle but to no avail (sigh)

freakyg · 05-19-2005, 12:04 PM

I found this FAQ..............

http://www.onsight.com/faq/ssh/ssh-faq-1.html

Quote:

1.12 . Shouldn't I be using only SSH2?

Maintainer's note: Since this brought up an interesting discussion on the mailing list, it seems to be a good idea to incorporate some of the helpful information that folks brought up. Thanks! Also, if someone has a better way to organize this section, please let me know.

The SSH1 protocol is not being developed anymore, as SSH2 is being developed as the standard. Even if you are not using SSH2, many folks are establishing a path towards it. With three implementations (and growing) of SSH2 currently in the works, there is growing support (especially with the SSH2 protocol in IETF draft). However, there are arguments for and against running SSH1.

Note: If you have any additional arguments either way, I'll post them. -AC

* There are structural weaknesses in SSH1 which leave it open to additional attacks
* SSH1 is subject to a man-in-the-middle attack
* SSH1 has more supported platforms
* SSH1 supports .rhosts authentication (it's against the draft for SSH2
* SSH1 has more diverse authentication support (AFS, Kerberos, etc.)
* Performance for SSH2 is not equal to SSH1

Dr. Psy · 05-19-2005, 02:04 PM

SSH man in the middle attack can be done with dnsspoof and sshmitm, included in the Dsniff package

http://www.monkey.org/~dugsong/dsniff/

As a side note, when someone on your network attempts this, you should recieve the notice below when attempting to SSH into a remote machine. If you have not changed anything recently in regards to SSH, and get this message, it may indicate an SSH man-in-the-middle attack. If that's the case, then drop the log in, and investigate the possible attack.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now
(man-in-the-middle attack)! It is also possible that
the host-key has just been changed. Please contact
your system administrator.