Re: [9fans] SSH Version2

Re: [9fans] SSH Version2

[Russ Cox]

> ever heard of ettercap? the ultimate in script kiddie packet sniffing
> technology? it can break ssh1.
> http://ettercap.sourceforge.net/

that's not true.  it can stand in as a man-in-the-middle
for an active attack on ssh1.  that's only going to work
if you've never connected to the host before, or if you
ignore the man-in-the-middle warnings when the other end's
host key doesn't work out right.  to do that requires you
are proxy arping for the victim server, which limits the
attack even further.

from their readme:

5.4.4 SSH1 MAN-IN-THE-MIDDLE

 When the connection starts (remember that we are the master-of-packets, all
 packets go through ettercap) we substitute the server public key with one
 generated on the fly and save it in a list so we can remember that this
 server has been poisoned before.
 Then the client send the packet containing the session key ciphered with
 our key, so we are able to decipher it and sniff the real 3DES session key.
 Now we encrypt the packet with the correct server public key and forward it
 to the SSH daemon.
 The connection is established normally, but we have the session key !!
 Now we can decrypt all the traffic and sit down watching the stream !
 The connection will remain active even if we exit from ettercap, because
 ettercap doesn't proxy it (like dsniff). After the exchange of the keys,
 ettercap is only a spectator... ;)

russ

Re: [9fans] SSH Version2

[Andrew]

On Mon, Oct 07, 2002 at 12:21:51PM -0400, Russ Cox wrote:
> > ever heard of ettercap? the ultimate in script kiddie packet sniffing
> > technology? it can break ssh1.
> > http://ettercap.sourceforge.net/

i should have clarified that yes. But getting someone's username and
password is one of the things i consider breaking a protocol. The whole
point is to keep that from happening, and when it does, the protocol
failed to work and is therefore broken. Granted this attack only happens
when you have a script kiddie sitting in the right place, but that limits
its usability, you can only try to connect somewhere when you are on a
network you trust (or are ignorant of). the idea behind ssh and all other
tools like it, is so you can work on a network you dont entirely trust,
if we always trusted networks we'd use telnet.

on the comment about ssh2, it was made more complicated specifically so
it would be harder to break, and said theory has held true because as
you said yourself, the ettercap guys havent figured it out yet. i want it
to be difficult for someone to get my username and password, impossible
is not an option yet, but one can certainly make it more difficult.

>
> that's not true.  it can stand in as a man-in-the-middle
> for an active attack on ssh1.  that's only going to work
> if you've never connected to the host before, or if you
> ignore the man-in-the-middle warnings when the other end's
> host key doesn't work out right.  to do that requires you
> are proxy arping for the victim server, which limits the
> attack even further.
>
> from their readme:
>
> 5.4.4 SSH1 MAN-IN-THE-MIDDLE
>
>  When the connection starts (remember that we are the master-of-packets, all
>  packets go through ettercap) we substitute the server public key with one
>  generated on the fly and save it in a list so we can remember that this
>  server has been poisoned before.
>  Then the client send the packet containing the session key ciphered with
>  our key, so we are able to decipher it and sniff the real 3DES session key.
>  Now we encrypt the packet with the correct server public key and forward it
>  to the SSH daemon.
>  The connection is established normally, but we have the session key !!
>  Now we can decrypt all the traffic and sit down watching the stream !
>  The connection will remain active even if we exit from ettercap, because
>  ettercap doesn't proxy it (like dsniff). After the exchange of the keys,
>  ettercap is only a spectator... ;)
>
> russ

Re: [9fans] SSH Version2

[William K. Josephson]

On Mon, Oct 07, 2002 at 09:57:46AM -0700, Andrew wrote:

> on the comment about ssh2, it was made more complicated specifically so
> it would be harder to break, and said theory has held true because as
> you said yourself, the ettercap guys havent figured it out yet. i want it
> to be difficult for someone to get my username and password, impossible
> is not an option yet, but one can certainly make it more difficult.

At least as you present it, I don't think this
a very convincing argument.  SSH2 is complicated
and likely more secure that SSH1.  I do not think
that these two facts should be confused with each
other, or worse yet that the added complication
should be credited with the increased security.
SSH2 is merely that much harder to implement safely
and correctly.

Re: [9fans] SSH Version2

[Andrew]

On Mon, Oct 07, 2002 at 10:16:22PM -0400, William K. Josephson wrote:
> On Mon, Oct 07, 2002 at 09:57:46AM -0700, Andrew wrote:
>
> > on the comment about ssh2, it was made more complicated specifically so
> > it would be harder to break, and said theory has held true because as
> > you said yourself, the ettercap guys havent figured it out yet. i want it
> > to be difficult for someone to get my username and password, impossible
> > is not an option yet, but one can certainly make it more difficult.
>
> At least as you present it, I don't think this
> a very convincing argument.  SSH2 is complicated
> and likely more secure that SSH1.  I do not think
> that these two facts should be confused with each
> other, or worse yet that the added complication
> should be credited with the increased security.
> SSH2 is merely that much harder to implement safely
> and correctly.

it wasnt meant to be a convincing argument, but the fact stands that its
not as vulnerable at the moment as ssh1, not in theory but in practice,
granted in theory anything can be broken, practice is what counts though.

so long as its your password and not mine i couldnt care either way.

Re: [9fans] SSH Version2

[William Josephson]

On Mon, Oct 07, 2002 at 09:14:57PM -0700, Andrew wrote:

> so long as its your password and not mine i couldnt care either way.

Heh.  When it really matters, my computers aren't
even on the network and I don't return disks under
warrantee.  I guarantee you I am more paranoid :-/

Re: [9fans] SSH Version2

[Andrew]

well anyways, i think my original point was that there are in fact some
problems with ssh1, and consequently ssh2, which ive not denied, but to
date, there are fewer known holes, and fewer tools for it. And I think/hope
that we can at least agree that neither ssh1/2 in fact bulletproof,
which in that case means we are actually arguing the same thing.

I often frown at posts of "what foo security problems?" or something
to that effect, "what sendmail problems?" a friend mentioned, it just
rings to heavily of ignoring a problem and then assuming it just isnt
there. It seemed to me, at least at the time, that that was the case. Sure
ettercap only can do a MITM attack now, so? it _can_ sniff your password,
therefore there is a problem. therefore saying "what protocol 1 problems"
in a way that would infer there are no problems with it, is wrong;
and thats all i wanted to point out, not that ssh2 somehow miraculously
solves the problem once and for all, i never said that.


On Tue, Oct 08, 2002 at 01:25:10AM -0400, Russ Cox wrote:
> > on the comment about ssh2, it was made more complicated specifically so
> > it would be harder to break, and said theory has held true because as
>
> NO NO NO.  It happened to be made more complicated.
> Things that are more complicated are not necessarily harder
> to break, and often easier to break.  Making it more
> complicated was very likely not a design goal.
>
> > you said yourself, the ettercap guys havent figured it out yet. i want it
>
> Not true.  The ettercap guys haven't implemented it yet.
> That's not the same as haven't figured it out yet.
> The MITM attack remains the same.  They haven't implemented SSH2
> support, just like we haven't.  This is very VERY different.
>
> > to be difficult for someone to get my username and password, impossible
> > is not an option yet, but one can certainly make it more difficult.
>
> Impossible _is_ an option (modulo the attacker just happening to guess
> the right password or key, which is unavoidable).
>
> Also, don't use SSH in password mode.  Use it with public keys
> or with challenge/response.  Not as good as PAK, but much better
> than sending a password.
>
> > network you trust (or are ignorant of). the idea behind ssh and all other
> > tools like it, is so you can work on a network you dont entirely trust,
> > if we always trusted networks we'd use telnet.
>
> There's a difference between working on a network you don't entirely
> trust and working on a network that is a complete unknown to you.
> If you're that paranoid, just get the host keys via an out-of-band
> mechanism, and you'll never have a problem.
>
> I mean, come on.  What kind of paranoid are you if you ignore messages like:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA1 host key has just been changed.
> The fingerprint for the RSA1 key sent by the remote host is
> 2e:0e:82:ba:a3:d0:00:9a:ba:6d:87:e3:e0:b6:22:88.
> Please contact your system administrator.
> Add correct host key in /home/ny3/rsc/.ssh/known_hosts to get rid of this message.
> Offending key in /home/ny3/rsc/.ssh/known_hosts:33
> RSA1 host key for labrador.eecs.harvard.edu has changed and you have requested strict checking.
> Host key verification failed.
>
> Russ

Re: [9fans] SSH Version2

[Russ Cox]

> on the comment about ssh2, it was made more complicated specifically so
> it would be harder to break, and said theory has held true because as

NO NO NO.  It happened to be made more complicated.
Things that are more complicated are not necessarily harder
to break, and often easier to break.  Making it more
complicated was very likely not a design goal.

> you said yourself, the ettercap guys havent figured it out yet. i want it

Not true.  The ettercap guys haven't implemented it yet.
That's not the same as haven't figured it out yet.
The MITM attack remains the same.  They haven't implemented SSH2
support, just like we haven't.  This is very VERY different.

> to be difficult for someone to get my username and password, impossible
> is not an option yet, but one can certainly make it more difficult.

Impossible _is_ an option (modulo the attacker just happening to guess
the right password or key, which is unavoidable).

Also, don't use SSH in password mode.  Use it with public keys
or with challenge/response.  Not as good as PAK, but much better
than sending a password.

> network you trust (or are ignorant of). the idea behind ssh and all other
> tools like it, is so you can work on a network you dont entirely trust,
> if we always trusted networks we'd use telnet.

There's a difference between working on a network you don't entirely
trust and working on a network that is a complete unknown to you.
If you're that paranoid, just get the host keys via an out-of-band
mechanism, and you'll never have a problem.

I mean, come on.  What kind of paranoid are you if you ignore messages like:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
2e:0e:82:ba:a3:d0:00:9a:ba:6d:87:e3:e0:b6:22:88.
Please contact your system administrator.
Add correct host key in /home/ny3/rsc/.ssh/known_hosts to get rid of this message.
Offending key in /home/ny3/rsc/.ssh/known_hosts:33
RSA1 host key for labrador.eecs.harvard.edu has changed and you have requested strict checking.
Host key verification failed.

Russ

Re: [9fans] SSH Version2

[William K. Josephson]

On Mon, Oct 07, 2002 at 02:09:25PM -0400, Eric Grosse wrote:

>Any volunteers from outside?  We'd happily take back improved code and replace
>what's in the distribution.

I got half way through it in August and intend
to get back to it in the next couple of weeks.
I'll pass around an alpha when I have it ready.

> Also, if anyone following this more closely knows for a fact that tools
> for script kiddies can routinely hijack existing sessions or break in to
> the idle server under our implementation, please send mail and we'll
> rearrange our priorities.

Please let me know if you do as I already have
much of the low-level packet handling code
completed and a good start on the upper layers,
too.  No support for factotum yet, though.

Re: [9fans] SSH Version2

[Eric Grosse]

> yikes, does that mean Plan9 is subject to the ssh1 problems other systems are
> warned not to pursue (via switching to ssh2)?

We're not vulnerable to the integer overflow leading to root compromise, because
our implementation is independent and we happen not to have the same bugs.

But yes, we're vulnerable to the CRC/CBC attacks inherent in the protocol;  see
  http://www.kb.cert.org/vuls/id/13877
for details.  Unlike the integer overflow and man-in-the-middle attacks, this
one is not straightforward to launch.    Patches to other ssh implementations
have often introduced worse holes than the original problem, so we're inclined to
just switch to ssh2.  As further motivation, we mainly use ssh to call from Plan 9
to Unix systems and those will increasingly allow only ssh2.  But nobody here has
had time to do the work yet.

Any volunteers from outside?  We'd happily take back improved code and replace
what's in the distribution.

Also, if anyone following this more closely knows for a fact that tools for script
kiddies can routinely hijack existing sessions or break in to the idle server
under our implementation, please send mail and we'll rearrange our priorities.

Eric

Re: [9fans] SSH Version2

[Markus Friedl]

On Mon, Oct 07, 2002 at 09:02:36AM -0700, Andrew wrote:
> On Mon, Oct 07, 2002 at 02:51:29PM +0200, Markus Friedl wrote:
> > On Mon, Oct 07, 2002 at 10:42:38AM +0000, Jeff Sickel wrote:
> > > Russ Cox <rsc@plan9.bell-labs.com> wrote:
> > > > our ssh client only does ssh1.
> > >
> > > yikes, does that mean Plan9 is subject to the ssh1 problems other systems are
> > > warned not to pursue (via switching to ssh2)?
> >
> > what protocol 1 problems?
> ever heard of ettercap?

sure.  but it's not really related to ssh protocol version 1.

> the ultimate in script kiddie packet sniffing
> technology? it can break ssh1.
> http://ettercap.sourceforge.net/

it does not apply to ssh protocol 1 only. it applies
to version 2 and (to some degress) ssl, too.  it
just implements a MITM attack.

-m

Re: [9fans] SSH Version2

[Russ Cox]

I should add that it seems just as possible to do this in SSH2,
but since the protocol is significantly more complicated, the
ettercap guys just haven't gotten around to it.

Russ

Re: [9fans] SSH Version2

[Andrew]

On Mon, Oct 07, 2002 at 02:51:29PM +0200, Markus Friedl wrote:
> On Mon, Oct 07, 2002 at 10:42:38AM +0000, Jeff Sickel wrote:
> > Russ Cox <rsc@plan9.bell-labs.com> wrote:
> > > our ssh client only does ssh1.
> >
> > yikes, does that mean Plan9 is subject to the ssh1 problems other systems are
> > warned not to pursue (via switching to ssh2)?
>
> what protocol 1 problems?
ever heard of ettercap? the ultimate in script kiddie packet sniffing
technology? it can break ssh1.
http://ettercap.sourceforge.net/

Re: [9fans] SSH Version2

[Markus Friedl]

On Mon, Oct 07, 2002 at 10:42:38AM +0000, Jeff Sickel wrote:
> Russ Cox <rsc@plan9.bell-labs.com> wrote:
> > our ssh client only does ssh1.
>
> yikes, does that mean Plan9 is subject to the ssh1 problems other systems are
> warned not to pursue (via switching to ssh2)?

what protocol 1 problems?

Re: [9fans] SSH Version2

[Jeff Sickel]

Russ Cox <rsc@plan9.bell-labs.com> wrote:
> our ssh client only does ssh1.

yikes, does that mean Plan9 is subject to the ssh1 problems other systems are
warned not to pursue (via switching to ssh2)?

Re: [9fans] SSH Version2

[Russ Cox]

our ssh client only does ssh1.

[9fans] SSH Version2

[Adrian]

I`m having trouble connecting to a FreeBSD box
that only allows SSH2. Is this a config problem or is version 2
not currently supported ?

Adrian