clogin vulnerable to MITM attack with ssh host keys

John Dorsey dorsey at
Thu Jun 9 21:45:32 UTC 2005


> Does the Pix pair also have individual IP addresses that don't change?
> Then you could poll them by their individual addresses, and detect failover
> some other way (preferably with a monitoring system that will page someone
> to go look at the problem).

	Not as of 6.3.x.  7.0 may have something, since it does some
different tricks w.r.t. redundancy.

	The problem isn't one of detecting failover.  Although I do see
failovers in rancid, they're easy to catch with SNMP.  I've got an OID
around here somewhere that does that.

> > 	If the current MITM-exposed behavior was optionally available,
> > my concern would be satisfied.
> It already is - put "add sshcmd * {ssh\ -o\ Batchmode=yes}" in cloginrc.  That
> should keep ssh from asking any interactive questions.

	Aha!  Excellent.  I've spent too little time under the covers of
rancid; this is just what I was looking for.

> > Unfortunately, I don't currently have
> > any time available for coding a patch.  I might, in a few weeks.
> I think a comment in clogin to inform the next curious person who reads the
> code, and a few words in the cloginrc man page would be sufficient.

	Given the above, it's (much) less effort than I thought.  I
still probably won't do anything with it very soon, but I'll try to get
around to it if nobody beats me to the punch.

	Would such a patch be accepted into the project?

John Dorsey

More information about the Rancid-discuss mailing list