[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: SSH key spoofing

To: or-talk@xxxxxxxxxxxxx
Subject: Re: SSH key spoofing
From: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Date: Wed, 3 Jan 2007 19:20:24 +0000
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 03 Jan 2007 14:20:55 -0500
In-reply-to: <3922422b0701030054p7cfe9779xe1984d939e6ba21@mail.gmail.com>
References: <20070103063000.GD1155@fscked.org> <3922422b0701030054p7cfe9779xe1984d939e6ba21@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: KMail/1.9.4

On Wednesday 03 January 2007 08:54, Ringo Kamens wrote:
> Wouldn't constantly changing ssh keys make it more secure?
>

he means the tor exit node is constantly changing the ssh keys it supplies to 
perform man in the middle attacks; rather than changing the keys it uses for 
tls/ssl or whatever.

> On 1/2/07, Mike Perry <mikepery@xxxxxxxxxx> wrote:
> > Deliberately breaking threading so this doesn't fall through the
> > cracks.
> >
> > Thus spake Robert Hogan (robert@xxxxxxxxxxxxxxx):
> > > Got this when testing an ssh connection:
> > >
> > > WARNING: DSA key found for host shell.sf.net
> > > in /home/robert/.ssh/known_hosts:8
> > > DSA key fingerprint 4c:68:03:d4:5c:58:a6:1d:9d:17:13:24:14:48:ba:99.
> > > The authenticity of host 'shell.sf.net (66.35.250.208)' can't be
> >
> > established
> >
> > > but keys of different type are already known for this host.
> > > RSA key fingerprint is cf:9b:db:c4:53:c3:f0:0d:e8:c4:15:33:61:71:01:ca.
> > > Are you sure you want to continue connecting (yes/no)? no
> > >
> > >
> > > Tor first attempted to attach a circuit with toxischnet as it's exit.
> > > This didn't work, so it then used tormentor. I then got the above.
> > >
> > > I subsequently used both toxischnet and tormentor to connect without
> > > any
> >
> > key
> >
> > > authentication issues. The RSA fingerpint is not listed by sourceforge.
> > >
> > > http://sourceforge.net/docs/G04/en/#fingerprintlist
> > >
> > > Malice? Misconfiguration of some sort? Anyone care to test either of
> > > these exits?
> >
> > Hrmm.. My scanner seems to be getting hung on some bug (possibly one
> > that I'm tickling in Tor or possibly my own), so I haven't seen this
> > during automatic scanning yet, but I can confirm manually that
> > tormentor IS in fact regularly changing ssh keys. It should be
> > delisted as an exit ASAP.
> >
> > toxischnet is currently hibernating, so its hard to say on that one.
> >
> > --
> > Mike Perry
> > Mad Computer Scientist
> > fscked.org evil labs

-- 

KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net
TorK   - A Tor Controller For KDE      - http://tork.sf.net

Follow-Ups:
- Public lists of exit nodes?
  - From: Dan Collins

References:
- SSH key spoofing
  - From: Mike Perry
- Re: SSH key spoofing
  - From: Ringo Kamens

Prev by Author: Re: question about router depth
Next by Author: Re: more letters from the feds
Previous by thread: Re: SSH key spoofing
Next by thread: Public lists of exit nodes?
Index(es):
- Author
- Thread