clone for rhel3/2.1 +++ This bug was initially created as a clone of Bug #162681 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Description of problem: Portable OpenSSH versions less than 4.0p1 have known_hosts files that would allow an attacker to find additional targets, because the host information contained within them is listed in cleartext. http://nms.csail.mit.edu/projects/ssh/ The OpenSSH server included in RHEL 3 and 4 do not currently have support for the Hashed Host patches that would be needed to avoid exposing sensitive information to a successful attacker. The specific fix that the OpenSSH folks have devised for this is described here: http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts A patch for OpenSSH 3.9p1 is available: http://nms.csail.mit.edu/projects/ssh/patch-other.php This could probably be backported to openssh-3.6.1 (used in RHEL 3). Version-Release number of selected component (if applicable): openssh-3.6.1p2-33.30.4 How reproducible: Always Steps to Reproduce: 1. Pretend you are a malicious coder. Find a vulnerability in SSH. Write a nasty SSH worm that can jump from host to host. 2. Have your worm check everyone's .ssh/known_hosts file for additinal targets. 3. Attempt to jump to the hosts listed in the known_hosts files, using both your original exploit, and using any carelessly unencrypted private key files you find on the machine. 4. Profit Additional info: -- Additional comment from tmraz on 2005-07-08 16:55 EST -- Created an attachment (id=116539) Patch for openssh-3.9p1 This patch is taken from openssh-4.0p1 and applies to openssh-3.9p1. -- Additional comment from tmraz on 2005-07-08 16:58 EST -- Created an attachment (id=116540) Patch for openssh-3.6.1p2 This patch applies to openssh-3.6.1p2. -- Additional comment from bressers on 2005-09-01 14:07 EST -- I'm moving this bug to affect RHEL4, and noting that this feature could be added to RHEL3 and RHEL2.1 if we decide to support it. Considering this a security issue is a far stretch as you first need an openssh worm in order for it to be a problem. Additionally a worm could search the users shell history and log files for a list of hosts which could potentially be vulnerable, making this much less effective than it would appear from the description.
We do not consider this problem as a real security issue. This feature is not going to be implemented for RHEL-3.