[j-nsp] protect ssh and telnet

Tore Anderson tore at fud.no
Tue Apr 5 12:18:39 EDT 2016


* Saku Ytti

> If you want to do this right today, the correct way is to extract
> public key in secure manner (What is secure? OOB not really, but maybe
> human on-site) and store them in your jump box for user-wide
> consumption, and raise alarm if host keys have changed. So who ever is
> physically installing RE, should also make sure hostkeys are updated
> securely in centralised location.
> 
> I'm sure someone out there does this, but I'm going to say that at
> least 99% of user-base (All vendors) just accept any key always.

Speaking only for myself, I'd accept server key change only if it's a
device that is known to have been recently replaced/zeroized/etc. I'd
*never* accept a key changing without that being expected for some
reason known in advance.

I'll also accept unknown keys when accessing devices recently added to
the network.

These corner cases both give a small opportunity for a successful MitM
attack, but I must admit I sleep well at night anyway.

> Making SSH really no safer than Telnet.

That's not really true even if you blindly accept any changed/unknown
SSH key, because telnet will leak information like login credentials in
cleartext to any passive listener while mounting a successful attack on
SSH requires MitM capability. That's more difficult to pull off. Also,
if you're using SSH keys your login credentials won't leak even if you
are successfully MitMed.

Tore


More information about the juniper-nsp mailing list