clogin vulnerable to MITM attack with ssh host keys

Ed Ravin eravin at
Thu Jun 9 03:20:44 UTC 2005

I disagree with what this fragment of clogin does:

    -re "(Host key not found |The authenticity of host .* be established).*\(yes
\/no\)\?" {     
        send "yes\r"
        send_user "\nHost $router added to the list of known hosts.\n"
        exp_continue }

Translation - if you don't have a host key already stored in your
known_hosts file(s), clogin will accept whatever is provided by the
remote host.  This acceptance is vulnerable to a man-in-the-middle
attack, since you have no way of verifying that you're talking to
the host you think you are.  Worse yet, it's done silently with no
notification to the user if RANCID is running in batch mode - the
message that the keys were accepted should make it into the logs,
but if the man-in-the-middle attack was successful and RANCID is
able to fetch the config, the user won't notice any problems.

I recommend that this be turned into an error condition, or better yet,
use "-o Batchmode=yes" in the ssh command line options, so that ssh
will fail rather than prompt you for any of these conditions.  The RANCID
documentation should remind the user that they need to make sure they can
ssh to the router cleanly before using RANCID.

	-- Ed

More information about the Rancid-discuss mailing list