Filter
Top Products
34 Chapter 2 Connecting to Remote Computers
What is an SSH Man-in-the-Middle Attack?
An attacker may be able to get access to your network and compromise proper
routing information, such that packets intended for a remote computer are instead
routed to the attacker who impersonates the remote computer to the local computer
and the local computer to the remote computer. Here’s a typical scenario: A user
connects to the remote computer using SSH. By means of spoofing techniques, the
attacker poses as the remote computer and receives the information from the local
computer. The attacker then relays the information to the intended remote computer,
receives a response, and then relays the remote computer’s response to the local
computer. Throughout the process, the attacker is privy to all the information that goes
back and forth, and can modify it.
A sign that may indicate a man-in-the-middle attack is the following message when
connecting to the remote computer using SSH.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Protect against this type of attack by verifying that the host key sent back is the correct
host key for the computer you are trying to reach. Be watchful for the warning
message, and alert your users to its meaning.
Important: Removing an entry from the known_hosts file bypasses a security
mechanism that would help you avoid imposters and man-in-the-middle attacks.
Be sure you understand why the key on the remote computer has changed before you
delete its entry from the known_hosts file.
Controlling Access to SSH Service
You can use Server Admin to control which users can open a command-line
connection using the ssh tool in Terminal. Users with administrator privileges are
always allowed to open a connection using SSH. The ssh tool uses the SSH service.
For information about controlling access to the SSH service, see the Open Directory
administration guide.