SSH transitive trust attack [LWN.net]

SSH transitive trust attack

Posted Jul 12, 2005 1:54 UTC (Tue) by dskoll (subscriber, #1630)
In reply to: The coming Web security woes (News.com) by dlang
Parent article: The coming Web security woes (News.com)

and this approach opens all those machines up to a transitive trust attack.

Presumably, you encrypt your SSH keys with a passphrase. And newer versions of SSH store hashes of hostnames in the "known hosts" file, making this kind of attack a lot harder.

(Log in to post comments)

SSH transitive trust attack

Posted Jul 12, 2005 2:02 UTC (Tue) by emkey (guest, #144) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.

Anyone who doesn't authenticate to each and every system they connect to by means of some form of password (preferably a one time password) is very very foolish in my opinion if they don't think they are seriously compromising their security.

Takes me back to the days when sun shipped all their systems with /etc/hosts.equiv files that had nothing but a single plus and users created .rhosts files that included every system they logged into or from.

SSH transitive trust attack

Posted Jul 14, 2005 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]

Lets just say that there are still ways around that. And yes, I know of at least one which I won't mention here in public.

That's more than mildly reminiscent of `the lurkers support me in e-mail'. (Obviously if a keylogger is running on your machine, your passphrase is toast!)

SSH transitive trust attack

Posted Jul 14, 2005 13:57 UTC (Thu) by emkey (guest, #144) [Link]

No, it is very much reminiscent of somebody (me) who doesn't want to give out sensitive information. And thats all I can say alas.