Bug#704170: openssh-server: MITM attack warning should indicate old/new IPs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#704170: openssh-server: MITM attack warning should indicate old/new IPs
From: Daniel Dickinson <debian@cshore.neomailbox.net>
Date: Thu, 28 Mar 2013 16:20:24 -0400
Message-id: <[🔎] 20130328202024.4713.24611.reportbug@pwyll.lan>
Reply-to: Daniel Dickinson <debian@cshore.neomailbox.net>, 704170@bugs.debian.org

Package: openssh-server
Version: 1:6.0p1-4
Severity: wishlist

I recently re-added the
127.0.1.1 hostname.domain hostname
line to my /etc/hosts on my ssh server (I was previously leaving the hostname resolution up to dns)
and discovered that this cause an alarming and confusing message from ssh on clients.
The message was that something nasty might be happening, could MITM, or host key had just changed.

I didn't change the host key, and I tracked the problem down to the change in IP and dns (from the server) resolving the server hostname as a loopback address, but it had me worried for a while.

A better message would indicate that that the IP had changed (and what IP was current/old).  In my case the IP was being resolved as 127.0.1.1 which meant I was being pointed at the client instead of the host, so the name (hostname.domain) didn't match the key returned by 127.0.1.1 (the client instead of the host).

I've since changed /etc/hosts again since obviously the 127.0.1.1 address causes issues in my scenario.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.10
ii  libc6                  2.13-38
ii  libcomerr2             1.42.5-1
ii  libgssapi-krb5-2       1.10.1+dfsg-4+nmu1
ii  libkrb5-3              1.10.1+dfsg-4+nmu1
ii  libpam-modules         1.1.3-7.1
ii  libpam-runtime         1.1.3-7.1
ii  libpam0g               1.1.3-7.1
ii  libselinux1            2.1.9-5
ii  libssl1.0.0            1.0.1e-2
ii  libwrap0               7.6.q-24
ii  lsb-base               4.1+Debian8
ii  openssh-client         1:6.0p1-4
ii  procps                 1:3.3.3-2
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages openssh-server recommends:
ii  ncurses-term             5.9-10
ii  openssh-blacklist        0.4.1+nmu1
ii  openssh-blacklist-extra  0.4.1+nmu1
ii  xauth                    1:1.0.7-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
ii  ssh-askpass   1:1.2.4.1-9
pn  ufw           <none>

-- debconf information:
  ssh/vulnerable_host_keys:
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

Reply to:

Prev by Date: openssh_6.1p1-4_i386.changes ACCEPTED into experimental
Next by Date: Bug#337041: patch adding IUTF8 support to OpenSSH
Previous by thread: openssh_6.1p1-4_i386.changes ACCEPTED into experimental
Next by thread: Bug#337041: patch adding IUTF8 support to OpenSSH
Index(es):
- Date
- Thread