[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] Weaknesses in the SSH protocol
- To: linux-security
- Subject: [linux-security] Weaknesses in the SSH protocol
- From: Martin Siegert <siegert@sfu.ca>
- Date: Fri, 6 Apr 2001 13:40:19 -0700
- User-Agent: Mutt/1.2.5i
Topic
=====
Possible to determine password length
Problem description
===================
Weaknesses in the SSH protocols can be used by a passive attacker to deduce
information about passwords entered over an encrypted connection. This
information can be used to reduce the number of possible solutions which
need to be tested to perform a brute-force attack. This reduces the amount
of time and resources required to mount such an attack successfully.
OpenSSH 2.5.1 and 2.5.2 include modifications which, while not completely
resolving this problem, reduce the risks by changing certain server
behaviors to make passive analysis more difficult.
Affected Systems
================
All versions of ssh. OpenSSH with versions >= 2.5.1 are not vulnerable.
I do not know whether the commercial SSH version (from www.ssh.com) has
a fix available.
Solution
========
Upgrade to openssh-2.5.2p2
Please, read the Remarks section at the end of this advisory!
RedHat 7.0
----------
rpm -Fvh openssh-2.5.2p2-1.7.i386.rpm \
openssh-askpass-2.5.2p2-1.7.i386.rpm \
openssh-askpass-gnome-2.5.2p2-1.7.i386.rpm \
openssh-clients-2.5.2p2-1.7.i386.rpm \
openssh-server-2.5.2p2-1.7.i386.rpm
RedHat 6.x
----------
RedHat 6.x did not come with openssh. I have rebuild the RedHat 7 rpms
for RedHat 6.x (for x < 2 you will have to upgrade you initscript package
in order to use this: rpm -Fvh initscripts-5.00-1.i386.rpm). In order to
use these packages you must upgrade the openssl package to version 0.9.6.
All of these packages can be found on sphinx in
/vol/vol1/distrib/redhat/contrib. Upgrade with
rpm -Fvh openssl-0.9.6-1.i386.rpm \
openssl-devel-0.9.6-1.i386.rpm \
openssl-misc-0.9.6-1.i386.rpm \
openssh-2.5.2p2-1.6.x.i386.rpm \
openssh-askpass-2.5.2p2-1.6.x.i386.rpm \
openssh-askpass-gnome-2.5.2p2-1.6.x.i386.rpm \
openssh-clients-2.5.2p2-1.6.x.i386.rpm \
openssh-server-2.5.2p2-1.6.x.i386.rpm
Please email me, if you find problems with these rpms.
Alternatively you can upgrade using the packages from www.openssh.com.
Mandrake 7.0
------------
rpm -Fvh openssh-2.5.2p2-1.6mdk.i586.rpm \
openssh-askpass-2.5.2p2-1.6mdk.i586.rpm \
openssh-askpass-gnome-2.5.2p2-1.6mdk.i586.rpm \
openssh-clients-2.5.2p2-1.6mdk.i586.rpm \
openssh-server-2.5.2p2-1.6mdk.i586.rpm
Mandrake 7.1
------------
rpm -Fvh openssh-2.5.2p2-1.5mdk.i586.rpm \
openssh-askpass-2.5.2p2-1.5mdk.i586.rpm \
openssh-askpass-gnome-2.5.2p2-1.5mdk.i586.rpm \
openssh-clients-2.5.2p2-1.5mdk.i586.rpm \
openssh-server-2.5.2p2-1.5mdk.i586.rpm
Mandrake 7.2
------------
rpm -Fvh openssh-2.5.2p2-1.4mdk.i586.rpm \
openssh-askpass-2.5.2p2-1.4mdk.i586.rpm \
openssh-askpass-gnome-2.5.2p2-1.4mdk.i586.rpm \
openssh-clients-2.5.2p2-1.4mdk.i586.rpm \
openssh-server-2.5.2p2-1.4mdk.i586.rpm
Remarks
=======
1) There is a bug in all versions of OpenSSH upto (and including) 2.5.1p1:
the rijndael/aes implementation was not having the correct endian macros
defined and was defaulting to little endian in all cases. In previous
versions this was usually not a problem because rijndael/aes was a fair
way down on the list of ciphers that were negotiated. However, in version
2.5.2p2 rijndael/aes was moved so that it is always negotiated if the
client & server support it. This becomes a problem, if you try to make
a connection from a machine running 2.5.2p2 to a big endian machine
(e.g., Suns, SGIs, etc.) running openssh versions < 2.5.2p2. If you
see an error message similar to
c2 2c 5e 45 38 ea 9a 73 7d d1 23 5b 8e a1 84 7b
Disconnecting: Bad packet length -1037279675.
you ran into this problem. Connection with a different cipher solves
this problem, e.g.,
# ssh -c 3des-cbc <hostname>
should work.
At SFU this should not be a problem since all Suns in ACS/OTS (fraser, etc.)
were upgraded to version 2.5.2p2.
2) This version of OpenSSH will use a RSA key for ssh protocol version 2 by
default. That is it will use the RSA server key even if the RSA key
is not present in your ~/.ssh/authorized_keys2 file but the DSA is.
This behaviour will result in a message
The authenticity of host 'xyz (w.x.y.z)' can't be established.
RSA key fingerprint is 4b:f8:81:be:9e:bc:7d:0c:37:e6:ba:c8:30:72:6e:0c.
Are you sure you want to continue connecting (yes/no)?
You will even see this message although you had made connections to that
host before. You can disable this behaviour in ssh servers by commenting
out the RSA key in the /etc/ssh/sshd_config file:
replace
HostKey /etc/ssh/ssh_host_rsa_key
with
#HostKey /etc/ssh/ssh_host_rsa_key
All Suns in ACS/OTS have RSA keys for protocol version 2 disabled.