Bugtraq mailing list archives
Re: SSH & xauth
From: provos () CITI UMICH EDU (Niels Provos)
Date: Mon, 28 Feb 2000 18:03:03 -0500
Hi Robert, This thread was about how default configurations can have negative impact on security. You mention the CheckHostIP option in OpenSSH. CheckHostIP defaults to 'yes'. It introduces only additional checks and has not influence on permitting an SSH session to proceed. Thus it has no negative impact on your system security. I do not agree with your assumption that most SSH servers use dynamic IP addresses. I believe that for the majority of users the contrary is true. However, if you are in an environment with dynamic IP addresses, you can turn the CheckHostIP option off. In message <Pine.NEB.3.96L.1000225211428.18984A-100000 () fledge watson org>, Robe rt Watson writes:
You can even imagine DNS-based spoofing causing some problems, if combined with IP spoofing, as ssh-by-ip to a spoofed host would not generate an unknown key warning, instead, it would connect with full trust. This attack is a little of a stretch on convenience for the attacker, but is feasible.
This is not true. If you did not authorize a (canonical hostname, public key) binding [by inserting it into OpenSSH's knownhosts file], you will always get a warning. Please verify your facts before you post. If you have questions about OpenSSH in the future, you can reach us at openssh () openssh com. Greetings, Niels.
Current thread:
- xterm log file vulnerability, (continued)
- xterm log file vulnerability Morten Welinder (Feb 29)
- false alarms by real secure Danton Nunes (Feb 29)
- New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
- Serv-U FTP-Server v2.4a showing real path Berk Ulsoy (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)
- Re: SSH & xauth Niels Provos (Feb 28)
- Re: SSH & xauth Theo de Raadt (Feb 27)
- Re: SSH & xauth Brian (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)