Bug 2822 - manpage: trojan horse vs. man-in-the-middle
Summary: manpage: trojan horse vs. man-in-the-middle
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.5p1
Hardware: All Linux
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_7
  Show dependency treegraph
 
Reported: 2018-01-23 16:21 AEDT by maikel
Modified: 2018-04-06 12:26 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description maikel 2018-01-23 16:21:16 AEDT 
Hello,

The `ssh_config` man page may be slightly confusing about StrictHostKeyChecking. I found this sentence:

    This provides maximum protection against trojan horse attacks

I always thought the option protects against man-in-the-middle attacks. I think if the user or the server is compromised via a trojan horse, the connection is most likely compromised as well, regardless of host key checking.
Comment 1 Darren Tucker 2018-02-06 16:58:51 AEDT 
Fixed, it'll be in the 7.7 release.  Thanks for the report.
Comment 2 Damien Miller 2018-04-06 12:26:51 AEST 
Close all resolved bugs after release of OpenSSH 7.7.