Skip Menu |
 

This queue is for tickets about the Net-SSH-Perl CPAN distribution.

Report information
The Basics
Id: 54161
Status: open
Priority: 0/
Queue: Net-SSH-Perl

People
Owner: Nobody in particular
Requestors: ban.nobuhiro [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Net::SSH::Perl ignores host key mismatch
Date: Sun, 31 Jan 2010 15:18:34 +0900
To: bug-Net-SSH-Perl [...] rt.cpan.org
From: Nobuhiro Ban <ban.nobuhiro [...] gmail.com>
Download (untitled) / with headers
text/plain 2.9k
Distribution name and version: Net-SSH-Perl-1.34 Perl version: v5.10.0 built for i486-linux-gnu-thread-multi Operating System vendor and version: Debian GNU/Linux 5.0.3 (Linux 2.6.24) * Description Most SSH clients check the change of the host key for security reason. These checks protect connections against the Man-in-the-middle attacks. But, as for Net::SSH::Perl, this check doesn't work well. This library silently accepts the changed key and connects to the host. * Example Alice, connects to bob.example.org by the code like: Show quoted text
>use Net::SSH::Perl; >my $ssh = Net::SSH::Perl->new("bob.example.org") or die; >...
Bob, the owner of the SSH host bob.example.org. Mallory, an attacker. (1) Before the change of the host key. Show quoted text
>alice% cat ~/.ssh/known_hosts2 >bob.example.org ssh-dss AAAA...(The key of Bob)
(2) Someday the host key of bob.example.org changed (e.g. cracked by the attacker Mallory). Net::SSH::Perl ignores this change, and silently adds a new entry. Show quoted text
>alice% cat ~/.ssh/known_hosts2 >bob.example.org ssh-dss AAAA...(The key of Bob) >bob.example.org ssh-dss AAAA...(The key of Mallory)
If Alice tries to connect to bbb.example.org with OpenSSH client 5.1p1 (instead of Net::SSH::Perl), she will be warned: Show quoted text
>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >Someone could be eavesdropping on you right now (man-in-the-middle attack)!
* Code analysis In Net::SSH::Perl::check_host_key , Show quoted text
> my $status = _check_host_in_hostfile($host, $u_hostfile, $key); > unless (defined $status && $status == HOST_OK) { > $status = _check_host_in_hostfile($host, $s_hostfile, $key); > }
The first call of _check_host_in_hostfile($host, $u_hostfile, $key) returns HOST_CHANGED, but second call of _check_host_in_hostfile($host, $s_hostfile, $key) overwrite it by HOST_NEW. Show quoted text
> if ($status == HOST_OK) { > $ssh->debug("Host '$host' is known and matches the host key."); > } > elsif ($status == HOST_NEW) { > if ($ssh->{config}->get('interactive')) {
(snip) Show quoted text
> } > $ssh->debug("Permanently added '$host' to the list of known hosts."); > _add_host_to_hostfile($host, $u_hostfile, $key); > } > else { > croak "Host key for '$host' has changed!"; > }
So the second case is selected, silently added the changed key to $u_hostfile if not "interactive" setting. * Suggested fix In Net::SSH::Perl::check_host_key , my $status = _check_host_in_hostfile($host, $u_hostfile, $key); - unless (defined $status && $status == HOST_OK) { + unless (defined $status && ($status == HOST_OK || $status == HOST_CHANGED)) { $status = _check_host_in_hostfile($host, $s_hostfile, $key); } * Additional comment I think the default behavior for HOST_NEW (silently adding a new key) is very insecure.
From: pszmytka [...] gmail.com
Wow, this seems to be a serious security bug.
Download (untitled) / with headers
text/plain 650b
On Sun Jan 31 01:19:54 2010, ban.nobuhiro@gmail.com wrote: Show quoted text
> * Suggested fix > > In Net::SSH::Perl::check_host_key , > my $status = _check_host_in_hostfile($host, $u_hostfile, $key); > - unless (defined $status && $status == HOST_OK) { > + unless (defined $status && ($status == HOST_OK || $status == > HOST_CHANGED)) { > $status = _check_host_in_hostfile($host, $s_hostfile, $key); > }
I added this patch to the new public repo https://github.com/renormalist/Net-SSH-Perl for an upcoming release. Thanks! Kind regards, Steffen -- Steffen Schwigon <ss5@renormalist.net> Dresden Perl Mongers <http://dresden-pm.org/>
Download (untitled) / with headers
text/plain 407b
On Mon Dec 03 11:16:04 2012, SCHWIGON wrote: Show quoted text
> I added this patch to the new public repo > > https://github.com/renormalist/Net-SSH-Perl
And just for the records, I verified it works as expected. I just don't know how to write a test for it, so if any colunteer finds this ticket, feel free to contribute. Steffen -- Steffen Schwigon <ss5@renormalist.net> Dresden Perl Mongers <http://dresden-pm.org/>


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.