Inoculating SSH Against Address Harvesting

Address harvesting is the act of searching a compro-mised host for the names and addresses of other targets to attack, such as occurs when an email virus locates target addresses from users'address lists or mail archives. We examine how host addresses harvested from Secure Shell (SSH) clients'known hosts files can aid those attack-ing SSH servers. Each user's known hosts file contains the names of every host previously accessed by its owner. Thus, when an attacker compromises a user's password or identity key, the known hosts file can be used to iden-tify those hosts on a network that are most likely to accept this compromised credential. Such attacks are not theoret-ical-a single attacker who targeted host authentication via SSH and employed known hosts address harvesting was able to gain access to a multitude of academic, com-mercial, and government systems. To show the value of known hosts files to such attackers, we present results of a study of known hosts files and other data collected from 173 hosts distributed over 25 top level domains. We also collected data on users'credential management prac-tices, and discovered that 61.7% of the identity keys we encountered were stored unencrypted. To show how host authentication attacks via SSH could evolve if automated, we survey mechanisms used to attack and their suitability for use in self-propagating code. Finally, we present coun-termeasures devised to defend against address harvesting, which have been adopted by the OpenSSH team and one of the two main commercial SSH software vendors.