BugTraq
Strength and Weakness of Methods to Confirm SSH Host Key Sep 22 2014 07:51AM
John Leo (johnleo checkssh com) (1 replies)
Re: [FD] Strength and Weakness of Methods to Confirm SSH Host Key Sep 24 2014 05:36PM
Gunnar Wolf (gwolf gwolf org)
John Leo dijo [Mon, Sep 22, 2014 at 03:51:57PM +0800]:
> Monkeysphere
> (advice from maxigas)
> "verify your SSH key through the OpenPGP web of trust"
> Strength: OpenPGP is cool if you REALLY know how to use it.
> Weakness: "vote counting scheme" does not sound too cool.

The "vote counting" goes against knowing whether the signing key is
valid or not. When you are asserting the identity of a site you
control, or a site you trust, this would only become a *second* chain
of trust, if I understand you right. And, of course, the signer
*should* be the same as the site operator!

> "use of an organization's own HTTPS site"
> (advice from Stephanie Daugherty)
> In my personal opinion, this is the best solution.
> Weakness: basically nothing - it's very secure.

A PKI is just the same as the vote counting you mention for OpenPGP,
but with money involved and a single point of failure. That is, having
the key in a HTTPS site will just mean the organization paid the PKI
cartel for a certificate strong enough for a given purpose, not that
it is the legitimate organization.

> "use DNSSEC to validate SSH fingerprints"
> (advice from Micha Borrmann / Jeroen van der Ham / john)
> This is a good solution.
> Weakness: HTTPS is more mature than DNSSEC(in my personal opinion).

The three above are +- the same â?? different out-of-band channels to
establish a given message (the key fingerprint) is genuine.

> "ssh-keyscan -p 22 domain.com ..."
> (advice from Busindre)
> It's the same as running "ssh" directly.

Right. We wil also do it implicitly every time we connect to said
host, unless our ssh client is *very* badly configured.

> Check SSH(https://checkssh.com/)
> (we made it)
> Strength: this definitely stops ALL local bad boys.
> Weakness:
> While it's open source(and source code is less than 100 lines)...
> We simply won't give you root password of the server(you don't own the server).
> If adversary is EXTREMELY powerful:
> It's better to set up your own Check SSH.

Humh, still... the heart of your site is:

shell_exec("ssh-keyscan -p ".$p." ".$h." > ".$f);
$r=shell_exec("ssh-keygen -l -f ".$f." 2>&1");

So, what difference would that make WRT running ssh-keyscan from a
host we currently trust already?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJUIwENAAoJEGc6A+TB25If17oP/3wPJTL/bhV9VzM7yVMAzwFF
zlE4PI+UGhlSAuFAP/ILOfWk5AdAPYZXGbfQ8rTU44BBXs+kA9SdBKSeOHn+Kpiz
KpC47U25K2BEcn7vsEJ+siJCDsgLzAkePRYmXvDEM03QDXIGD+PSXq3CwvR+canC
byddYwMNtbowdK3RW7up4fYwoQZhc51c9ZOsP5mg0ac+bi2FzyCVfZ8/f2x4YMAC
QodAGP4l8LyYQpCi6HSIm1zP6ebLqfdTda4Bpjb8QjqHaHaz5sSnH5u3ch8YvAyG
DNBtQbJgQgpw5BrNIxiYNjmGy8FyiiWGBEk8xz/7yOAAKJQfmK1TZ3LxvZljG3h0
MBemp8z6ReZpfxm90UIWqDf8Juh6cwYUkmAXYDnZ6tgw8+t7uvKicd/ekjTG+Hvh
pA+/oDkUeECdHz2cI5stmqEVFpBNgCCGRM8AR1dzWS3MXpTp1Q57zrdlHGenLsXT
ihKwyK01xH3JOByODCJP88eeC5DhaIzS6GAys3FnmyJsanKh/TiLWUyjr3J72KK7
vB1aax40amgi2VFK9tNXHjGPC7FskvdIO6z9uL1xX7SbV4KZ8Eas+Xmq0sNrwNkX
AbmAPtv+NimelNK9a+UtfZozu60gZVQlhD9wJPeqtfSSeFsnDChv6mvcpUtPuoc9
UwB4BER1dGNUgnTVFKy6
=HCax
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus