zypA13510
commented
5 years ago -
Whether or not you can delete keystrokes in the buffer via backspace is determined by multiple factors.
-
Sorry, but I failed to see the connection how that makes it a MITM vulnerability.
- If you want to quit the ssh client immediately during host key confirmation, use Ctrl+C or
killcommand. - If you would like to remove a public key from the known hosts, read the manual of
ssh-keygen. - If you realized but not knowing the validation has failed and keeps on entering your password, the software is not to be blamed, you are. : In key-based authentication, your private key is never sent to the server/attacker. Only password-based authentication may be affected by your proposed MITM scheme.
- If you want to quit the ssh client immediately during host key confirmation, use Ctrl+C or
-
The line you're referring to is from pristine OpenSSH 5.2 source [git blame]. I failed to find any related CVE on MITM vulnerability for OpenSSH 5.2. Even if it has known vulnerabilities, I wouldn't be surprised, given that it's released almost 10 years ago.
-
It would be responsible to report any security issue privately with the maintainers instead of in a public place like GitHub issues.
Btw, this project is long dead.
Man in the middle attack vector found in
sshconnect.cDuplicate:
yesbut then realizes, oh boy, it's a man in the middle attack, and yet the backspace key is broken (thanks, peanut butter). So then ultimately submitsyes_waitnobackspaceisbrokenyesanswer. The database and files are hacked and everything lost. The CTO writes a blog post on Medium as a postmortem, but loses entire customer base. Great, ssh.See line here: https://github.com/brl/obfuscated-openssh/blob/ca93a2c09cf0f6d2f80e7daca18a669045665a3b/sshconnect.c#L570
The check for the
yesvalue only checks to see thatyesis at position 0. If the user types inyesohwaitmybackspacekeyisbroken_imeantnothey will be potentially vulnerable to a man in the middle attack, not knowing the validation has failed them.Scary stuff.