While developing OpenSSH Niels Provos <provosat_private> has discovered the following flaw in ssh-1.2.27. Older versions may be affected, too: During connection setup the ssh-server sends it's public host key information to the client. This information consists of the RSA parameters 'e', 'n' and the size of 'n' in bits. The ssh-1.2.27 client does not check whether the announced size is equal to the actual size of 'n' and blindly uses the supplied information, displays it to the user and saves the information in the ~/.ssh/known_hosts file. Thus it is possible for a malicious server to announce a parameter size of 1024 bits while actually transmitting a host key with only 1017 bits (the 7 most significant bits are set to 0). While this _may_ not be actively exploitable it is at least misleading, since the user thinks he is using a 'more' secure key. Needless to mention that OpenSSH does check the actual size of the transmitted parameter 'n'. MfG, -markus
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:46 PDT