clogin vulnerable to MITM attack with ssh host keys

[john heasley]

Wed, Jun 08, 2005 at 11:20:44PM -0400, Ed Ravin:
> I disagree with what this fragment of clogin does:
> 
>     -re "(Host key not found |The authenticity of host .* be established).*\(yes
> \/no\)\?" {     
>         send "yes\r"
>         send_user "\nHost $router added to the list of known hosts.\n"
>         exp_continue }
> 
> Translation - if you don't have a host key already stored in your
> known_hosts file(s), clogin will accept whatever is provided by the
> remote host.  This acceptance is vulnerable to a man-in-the-middle
> attack, since you have no way of verifying that you're talking to
> the host you think you are.  Worse yet, it's done silently with no
> notification to the user if RANCID is running in batch mode - the
> message that the keys were accepted should make it into the logs,
> but if the man-in-the-middle attack was successful and RANCID is
> able to fetch the config, the user won't notice any problems.
> 
> I recommend that this be turned into an error condition, or better yet,
> use "-o Batchmode=yes" in the ssh command line options, so that ssh
> will fail rather than prompt you for any of these conditions.  The RANCID
> documentation should remind the user that they need to make sure they can
> ssh to the router cleanly before using RANCID.

ISTR that the additions used to appear in the logs.  changing that
send_user to send_error would do that.

I'm not sure what ssh (or possibly an ssh.conf option) you are using, but
mine fails when the key changes, here:

        -re "HOST IDENTIFICATION HAS CHANGED.* \(yes\/no\)\?"   {
            send "no\r"
            send_user "\nError: The host key for $router has changed.  Update the SSH known_hosts file accordingly.\n"
            return 1 }
        -re "Offending key for .* \(yes\/no\)\?"   {
            send "no\r"
            send_user "\nError: host key mismatch for $router.  Update the SSH known_hosts file accordingly.\n"
            return 1 }