alt Hacker NewsA big class of attacker is nation state attackers who do not want to risk discovery.
A big way to deter them is to keep remote log files which, if analyzed, will reveal any attack.
For example, if both ssh-client and ssh-server kept a fingerprint of the session key in some append-only logfile, then a later administrator could compare the logfiles to know if an MITM happened.
Suddenly, nation state attackers won't be interested in MITM-ing at all.
Unfortunately it appears openssh doesn't even have an option to create such a logfile!! Why not??
Replies
iberator • yesterday at 11:48 PM
how would you create REAL write only logs?
syslog > /dev/lpt0 printer?
daveguy • yesterday at 9:12 PM
Because log processing is handled in the kernel/root/system? Is this a trick question?
See also: rsyslogd
sieabahlpark • yesterday at 8:35 PM
[dead]
Couldn’t the MITM ssh server just forward the client’s fingerprint to the legitimate server?
If so, the legitimate server wouldn’t have anything in their logs that would help detect such an attack.
OpenSSH does log other telemetry though.