9

If I simply connect to an SSH server, get its key fingerprint, and immediately disconnect, does the SSH protocol ensure that the server also had the private key in order to get that far into the handshake?

That is, could this entire connection have been spoofed by someone pretending to be the server, but did not possess the server's private key?

Peter Mortensen
  • 877
  • 5
  • 10
Belorn
  • 93
  • 1
  • 4

2 Answers2

15

No, this is not possible. Depending on the key exchange mechanism in use, there are (slightly) different mechanisms for proving the identity of the server. This is defined in RFC4253 where it requires "explicit server authentication." In the case of RSA (RFC 4432), the server signs a piece of data provided by the client (actually a hash of several pieces) with its private key and sends it back to the client. This signature proves that the server is in possession of the private key. Without this, there would be no protection at all against MITM attacks on SSH.

Community
  • 1
David
  • 15,814
  • 3
  • 48
  • 73
  • Thanks for a clear answer. Do you know which one of the many SSH RFCs that mentions this? – Belorn Jun 21 '14 at 18:30
  • I've added mentions of the specific RFCs, but basically RFC4253 for the general concept, RFC 4432 for the RSA implementation – David Jun 21 '14 at 18:50
0

The client and server engage in a Diffie-Hellman key exchange (ephemeral keys are generated). One of the products is a session key and a hash of that session Key. The ssh server signs the session key with private portion of it's ('long term') host key. The client verifies it with the public key. That's how MITM is avoided. Keep in mind it's not possible to force a particular value using DH. A MITM would need to fool the client with it's own DH agreement and as well fool the server with it's own DH agreement. That can't happen w/o control of the private key. Keep in mind this is server authentication which is separate and apart from client authentication.

james6125
  • 211
  • 1
  • 8