clogin vulnerable to MITM attack with ssh host keys

Ed Ravin eravin at
Thu Jun 9 18:24:16 UTC 2005

On Thu, Jun 09, 2005 at 01:12:19PM -0500, John Dorsey wrote:
> [unsafe ssh host key handling deleted]
> 	I agree with your security stance.  Unfortunately, there are
> some inobvious operational obstacles to handling this correctly.
> 	One I'm aware of is the handling of ssh host keys by redundant
> pairs of pix firewalls.  In Pix failover, the devices swap their IP and
> MAC addresses, but not their ssh host keys[1].  So when the pix pair
> fails, a new host key is seen.  I don't want to miss a rancid update,
> especially just after a failover, which may have been influenced by a
> configuration change.

Does the Pix pair also have individual IP addresses that don't change?
Then you could poll them by their individual addresses, and detect failover
some other way (preferably with a monitoring system that will page someone
to go look at the problem).

> 	If the current MITM-exposed behavior was optionally available,
> my concern would be satisfied.

It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc.  That
should keep ssh from asking any interactive questions.

> Unfortunately, I don't currently have
> any time available for coding a patch.  I might, in a few weeks.

I think a comment in clogin to inform the next curious person who reads the
code, and a few words in the cloginrc man page would be sufficient.

	-- Ed

More information about the Rancid-discuss mailing list