|
|
看看lwn.net上的文章
http://lwn.net/Articles/134837/
作者的依据是每个用户的~/.ssh/known_hosts都记录了他所登录过的主机的域名/IP地址,一旦某个用户被攻破,那么就可以以他为中继,向known_hosts里所有的机器继续发起攻击。如果这个用户设置了passphrase为空的私钥登录方式,那就什么密码都不要,直接登录了。
解决方案是使用hashed host name
前提是用上了openssh 4.0p1
具体步骤:
echo "Host *" >> /etc/ssh/ssh_config
echo "HashKnownHosts yes" >> /etc/ssh/ssh_config
至于已有的known_hosts文件,我的处理是删掉。哪会有这么巧中dns spoof?呵呵
当然也有转化的工具,从上面的网页出发可以找到。
对比:
- 以前
- csdoor.comp.polyu.edu.hk,158.132.8.8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvkSIZSV4P9HNO3MeXxS7iEyfrgNXnVGNJm12F7zmPve83a61i6bOOYTR2w7NBTZSGAoOCc8bkKeOA+0iMsVL9BosQunq7auUF27if5PAymIt7afLygKSHWOTBEfbJmVXNM7szI77usXwSGMBRuJHRuSM7HaFc2G9CmnZTWoDH9s=
- smth.org,166.111.8.238 1024 35 141087622604984352947073823381669525561182271425567940961971914504832300932245048277609650094079962102843946849369875728378063399456613647998570284974539552752883200527266847955913542629545587385680424043735389622031831256167599729345670473925247530244406340068958707947533905560128653734273279036206628894447
- 现在
- |1|sgUNJl7RimBXU1fwChi5sSE5XDw=|R50tbnL62fS2W9patXRiOQYQVpc= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuQz6fK5kpG5ISPRlAamBJSZEjgeGXW71sY6mjfvqnJ0whmZPu8gF+Kn1xaHTZ3DuYwX8Yl6AbB4aZfyrwA8P+R7fW66UWkqtO+KcuI1+nrX8u6q36e+pYz+06OZOAmk0taXpwAnI4YvA1EXM9lhbwxqCXWue4DgabWil2a33FTU=
- |1|pTNTi0XQwWj/Uda2yoT7qWiz+l0=|IW7GWxj7WbTmC/odydxnSmyKU6M= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuQz6fK5kpG5ISPRlAamBJSZEjgeGXW71sY6mjfvqnJ0whmZPu8gF+Kn1xaHTZ3DuYwX8Yl6AbB4aZfyrwA8P+R7fW66UWkqtO+KcuI1+nrX8u6q36e+pYz+06OZOAmk0taXpwAnI4YvA1EXM9lhbwxqCXWue4DgabWil2a33FTU=
|
|
IP卡
狗仔卡
发表于 2005-5-21 03:26:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2005-5-21 17:28:06