I think that the vulnerability which you pointed out is:
(1) Usually Client(Bob) can check whether he is really connected
to the Server(Alice) by checking the Server's host key with
the data which Bob has in the known_host directory. But in
the very first connection to the Server, the host key is not
installed yet. So in this occation Eve might BE ABLE to
IMPERSONATE Alice by sending Eve's host key.
(2) If Eve pretends Alice Server, Bob would send his authentication
information, which Eve receives and later she might use to login
to Alice with Bob's account. Or Eve might forward the
authentication information to Alice and send Eve's session key
to both Bob and Alice.
====================
(1)'This MitM can be detected(avoided) in following ways:
(a) System Administrator tells the fingerprint of Alice's host
key to Bob (either offline or through another trusted channel)
and asks him to check the fingerprint shown on the console
together with the initial alert message. -It is virtually
impossible to forge a public-private key pair with the SAME
fingerprint as Alice's pubkey.
(b) Bob's terminal be configured to reject all unknown hosts
("StricHostKeyChecking Yes"in the OpenSSH) and Alice's host key
is supplied & installed offline.
However, (b) is rather burdensome and there are always sufficient number
of careless users, who overlook the fingerprint mismatch. Therefore
there is a chance for Eve to succeed in this attack.
(2)'If Eve succeeds in pretending Alice's node, Bob's account is
stolen and the session is open to eavesdrop -as long as PASSWORD
authentication is used in version 1. Therefore SSH(version 1)
using password authentication is by NO MEANS secure shell.
I have demonstrated this kind of MitM attack in a lecture.
However, authentication using either RSA or DSA can avoid stealing
the authentication information, because the authentication
information(secret key) is not sent to the Server.
It might be possible to just forward the authentication information
to Alice and send Eve's session key to A & B, to make the session
decryptable for EVE. But it is detected during the user
authentication.
Therefore there are still a number of obstacles to Eve's perfect crime,
as long as RSA/DSA authentication is used. If password authentication is
unavoidable, at least protocol 1 be disabled. It is because most
(every?) MitM tools request protocol version 1 in establishing the
session. I am not sure whether protocol 2 detects that the
authentication process is eavesdropped.
--
Masahito Gotaishi, Researcher
R & D Initiative, Chuo University
1-13-27 Kasuga, Bunkyo, Japan, 112-8551
DDI:03-3817-1621, FAX:03-3817-1606
