Full Disclosure mailing list archives
Re: Strength and Weakness of Methods to Confirm SSH Host Key
From: Gunnar Wolf <gwolf () gwolf org>
Date: Wed, 24 Sep 2014 12:36:13 -0500
John Leo dijo [Mon, Sep 22, 2014 at 03:51:57PM +0800]:
Monkeysphere (advice from maxigas) "verify your SSH key through the OpenPGP web of trust" Strength: OpenPGP is cool if you REALLY know how to use it. Weakness: "vote counting scheme" does not sound too cool.
The "vote counting" goes against knowing whether the signing key is valid or not. When you are asserting the identity of a site you control, or a site you trust, this would only become a *second* chain of trust, if I understand you right. And, of course, the signer *should* be the same as the site operator!
"use of an organization's own HTTPS site" (advice from Stephanie Daugherty) In my personal opinion, this is the best solution. Weakness: basically nothing - it's very secure.
A PKI is just the same as the vote counting you mention for OpenPGP, but with money involved and a single point of failure. That is, having the key in a HTTPS site will just mean the organization paid the PKI cartel for a certificate strong enough for a given purpose, not that it is the legitimate organization.
"use DNSSEC to validate SSH fingerprints" (advice from Micha Borrmann / Jeroen van der Ham / john) This is a good solution. Weakness: HTTPS is more mature than DNSSEC(in my personal opinion).
The three above are +- the same — different out-of-band channels to establish a given message (the key fingerprint) is genuine.
"ssh-keyscan -p 22 domain.com ..." (advice from Busindre) It's the same as running "ssh" directly.
Right. We wil also do it implicitly every time we connect to said host, unless our ssh client is *very* badly configured.
Check SSH(https://checkssh.com/) (we made it) Strength: this definitely stops ALL local bad boys. Weakness: While it's open source(and source code is less than 100 lines)... We simply won't give you root password of the server(you don't own the server). If adversary is EXTREMELY powerful: It's better to set up your own Check SSH.
Humh, still... the heart of your site is:
shell_exec("ssh-keyscan -p ".$p." ".$h." > ".$f);
$r=shell_exec("ssh-keygen -l -f ".$f." 2>&1");
So, what difference would that make WRT running ssh-keyscan from a
host we currently trust already?
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Strength and Weakness of Methods to Confirm SSH Host Key John Leo (Sep 23)
- Re: Strength and Weakness of Methods to Confirm SSH Host Key Gunnar Wolf (Sep 24)
- Re: Strength and Weakness of Methods to Confirm SSH Host Key Paul Vixie (Sep 24)
- Re: Strength and Weakness of Methods to Confirm SSH Host Key Gunnar Wolf (Sep 24)