[nycbug-talk] How secure: wireless + ssh?
Mon Dec 26 02:04:34 EST 2005
Francisco Reyes wrote:
> Had never had the need for wireless..
> Getting a new laptop and was wondering how safe it is to use a
> wireless WEP connection with SSH.
This has been pretty much beaten to death, but there's one quick point
I'd like to throw in. Always connect to any SSH server on a trusted
network first, so it saves the server's key. Watch out for key
warnings, where the host key does not match the one you have saved. If
you get that on an untrusted network, watch out. sshmitm, part of the
dsniff  suite, allows man in the middle attacks against SSH if you
are tricked into accepting the "changed" host key. An attacker can use
ARP poisoning, amongst other tactics, to route your connections through
his machine, and accepting the attacker's host key means you have
nothing more than a SSH connection to his machine, which then relays
everything to the legit SSH server (with everything, of course, being
captured, unencrypted, by the attacker).
1 - http://www.monkey.org/~dugsong/dsniff/
More information about the talk