Bug 1489

Summary: ssh should normalize IP addresses before comparison
Product: Portable OpenSSH Reporter: Guenther Starnberger <gst>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm, gst
Priority: P2    
Version: 5.0p1   
Hardware: All   
OS: Linux   

Description Guenther Starnberger 2008-07-15 08:39:06 AEST
When using the ssh command to login to a host, ssh checks if the public key of this host is already known. However, when issuing an IP address instead of a hostname, ssh seems to do a string-based comparison of this IP address with the already known addresses.

Example:
-------- 8< -------- 8< -------- 8< -------- 8< --------
[gst@nano ~]$ ssh 10.0.0.3
Enter passphrase for key '/home/example/.ssh/id_rsa': 
---> The client already knows the public key

[gst@nano ~]$ ssh 10.00.0.3
The authenticity of host '10.00.0.3 (10.0.0.3)' can't be established.
RSA key fingerprint is 4f:ab:6e:8a:0b:02:d0:32:18:a1:1c:00:2b:5c:f8:bd.
Are you sure you want to continue connecting (yes/no)?
---> Another format for the same IP, the client does not recognize the IP
-------- 8< -------- 8< -------- 8< -------- 8< --------

One scenario where this e.g. could lead to a security problem would be if:
* An attacker sets up a man in the middle attack
* The attacker somehow tricks someone to connect to the host using a slightly modified IP address

It seems that "CheckHostIP" does NOT help, in the above scenario. I did not further look into this, but maybe ssh does not do the additional check of the hosts IP if an IP is given as argument.
Comment 1 Damien Miller 2010-04-26 10:34:52 AEST
So don't do that.
Comment 2 Damien Miller 2011-01-24 12:33:51 AEDT
Move resolved bugs to CLOSED after 5.7 release