Inoculating SSH Against Address Harvesting

Address harvesting is the act of searching a compromised host for the names and addresses of other targets to attack, such as occurs when an email virus locates target addresses from users’ address lists or mail archives. We examine how host addresses harvested from Secure Shell (SSH) clients’ known hosts files can aid those attacking SSH servers. Each user’s known hosts file contains the names of every host previously accessed by its owner. Thus, when an attacker compromises a user’s password or identity key, the known hosts file can be used to identify those hosts on a network that are most likely to accept this compromised credential. Such attacks are not theoretical – a single attacker who targeted host authentication via SSH and employed known hosts address harvesting was able to gain access to a multitude of academic, commercial, and government systems. To show the value of known hosts files to such attackers, we present results of a study of known hosts files and other data collected from 173 hosts distributed over 25 top level domains. We also collected data on users’ credential management practices, and discovered that 61.7% of the identity keys we encountered were stored unencrypted. To show how host authentication attacks via SSH could evolve if automated, we survey mechanisms used to attack and their suitability for use in self-propagating code. Finally, we present countermeasures devised to defend against address harvesting, which have been adopted by the OpenSSH team and one of the two main commercial SSH software vendors.