added fingerprint chapter

Author: manfred-kaiser

doc/_static/assets/css/theme2.css

@@ -0,0 +1,146 @@
+
+table.docutils,
+.rst-content table.field-list,
+.wy-table {
+	border-collapse: collapse;
+	border-spacing: 0;
+	empty-cells: show;
+	margin-bottom: 24px
+}
+
+table.docutils caption,
+.rst-content table.field-list caption,
+.wy-table caption {
+	color: #000;
+	font: italic 85%/1 arial, sans-serif;
+	padding: 1em 0;
+	text-align: center
+}
+
+table.docutils td,
+table.docutils th,
+.rst-content table.field-list td,
+.rst-content table.field-list th,
+.wy-table td,
+.wy-table th {
+	font-size: 90%;
+	margin: 0;
+	overflow: visible;
+	padding: 8px 16px
+}
+
+table.docutils td:first-child,
+table.docutils th:first-child,
+.rst-content table.field-list td:first-child,
+.rst-content table.field-list th:first-child,
+.wy-table td:first-child,
+.wy-table th:first-child {
+	border-left-width: 0
+}
+
+table.docutils thead,
+.rst-content table.field-list thead,
+.wy-table thead {
+	color: #000;
+	text-align: left;
+	vertical-align: bottom;
+	white-space: nowrap
+}
+
+table.docutils thead th,
+.rst-content table.field-list thead th,
+.wy-table thead th {
+	font-weight: 700;
+	border-bottom: 2px solid #e1e4e5
+}
+
+table.docutils td,
+.rst-content table.field-list td,
+.wy-table td {
+	background-color: transparent;
+	vertical-align: middle
+}
+
+table.docutils td p,
+.rst-content table.field-list td p,
+.wy-table td p {
+	line-height: 18px
+}
+
+table.docutils td p:last-child,
+.rst-content table.field-list td p:last-child,
+.wy-table td p:last-child {
+	margin-bottom: 0
+}
+
+table.docutils .wy-table-cell-min,
+.rst-content table.field-list .wy-table-cell-min,
+.wy-table .wy-table-cell-min {
+	width: 1%;
+	padding-right: 0
+}
+
+table.docutils .wy-table-cell-min input[type=checkbox],
+.rst-content table.field-list .wy-table-cell-min input[type=checkbox],
+.wy-table .wy-table-cell-min input[type=checkbox] {
+	margin: 0
+}
+
+.wy-table-secondary {
+	color: grey;
+	font-size: 90%
+}
+
+.wy-table-tertiary {
+	color: grey;
+	font-size: 80%
+}
+
+table.docutils:not(.field-list) tr:nth-child(2n-1) td,
+.wy-table-backed,
+.wy-table-odd td,
+.wy-table-striped tr:nth-child(2n-1) td {
+	background-color: #f3f6f6
+}
+
+table.docutils,
+.wy-table-bordered-all {
+	border: 1px solid #e1e4e5
+}
+
+table.docutils td,
+.wy-table-bordered-all td {
+	border-bottom: 1px solid #e1e4e5;
+	border-left: 1px solid #e1e4e5
+}
+
+table.docutils tbody>tr:last-child td,
+.wy-table-bordered-all tbody>tr:last-child td {
+	border-bottom-width: 0
+}
+
+table.docutils th {
+	border-color: #e1e4e5
+}
+
+
+table.docutils td .last,
+table.docutils td .last>:last-child {
+	margin-bottom: 0
+}
+
+table.docutils th {
+	border-color: #e1e4e5
+}
+
+
+table.docutils th {
+	border: 1px solid #e1e4e5
+}
+
+table.docutils td>p,
+table.docutils th>p {
+	line-height: 1rem;
+	margin-bottom: 0;
+	font-size: .9rem
+}

doc/_static/assets/css/toctree-icons.css

@@ -7,17 +7,23 @@
 #docs-nav .toctree-l1:nth-child(2):before,
 #docs-cards .toctree-l1:nth-child(2) i:before {
     font-family: FontAwesome;
-    content: "\f0e8";
+    content: "\f577";
 }
 
 #docs-nav .toctree-l1:nth-child(3):before,
 #docs-cards .toctree-l1:nth-child(3) i:before {
     font-family: FontAwesome;
-    content: "\f542";
+    content: "\f0e8";
 }
 
 #docs-nav .toctree-l1:nth-child(4):before,
 #docs-cards .toctree-l1:nth-child(4) i:before {
+    font-family: FontAwesome;
+    content: "\f542";
+}
+
+#docs-nav .toctree-l1:nth-child(5):before,
+#docs-cards .toctree-l1:nth-child(5) i:before {
     font-family: FontAwesome;
     content: "\f714";
 }

doc/_templates/layout.html

@@ -21,6 +21,7 @@
 	<link id="theme-style" rel="stylesheet" href="_static/pygments.css?{{built_timestamp}}">
     <link id="theme-style" rel="stylesheet" href="https://www.ssh-mitm.at/assets/css/theme.css?{{built_timestamp}}">
     <link id="theme-style" rel="stylesheet" href="_static/assets/css/sphinx.css?{{built_timestamp}}">
+	<link id="theme-style" rel="stylesheet" href="_static/assets/css/theme2.css?{{built_timestamp}}">
 	<link id="theme-style" rel="stylesheet" href="_static/assets/css/toctree-icons.css?{{built_timestamp}}">
 	{%- block extrahead %} {% endblock %}
 </head>

doc/fingerprint.rst

@@ -0,0 +1,61 @@
+SSH Fingerprints
+================
+
+Recognizing clients with known fingerprints
+-------------------------------------------
+
+If the client is already in possession of a fingerprint, the received fingerprint is compared with it. If the fingerprints do not match, a warning is issued and the connection is terminated.
+
+However, a Man in the Middle attack should remain undetected for as long as possible. For this reason, it is necessary to prevent the warnings generated by the client.
+
+RFC-4253 defines how the key exchange works. A list of supported algorithms is sent to the server. The first entry defines the preferred algorithm.
+
+This behavior can be used to find out whether a client has already stored a fingerprint for the current connection or not.
+
+In a Man in the Middle attack, this knowledge can be used to not intercept clients that would issue a warning or to pass the connection through to the actual destination server.
+
+An exemplary key exchange with and without a known fingerprint could look as follows:
+
+
++------------------------+------------------------+
+| New Fingerprint        | Known Fingerprint      |
++========================+========================+
+| ssh-ed25519            | ssh-rsa                |
++------------------------+------------------------+
+| ecdsa-sha2-nistp256    | ssh-ed25519            |
++------------------------+------------------------+
+| ecdsa-sha2-nistp384    | ecdsa-sha2-nistp256    |
++------------------------+------------------------+
+| ecdsa-sha2-nistp521    | ecdsa-sha2-nistp384    |
++------------------------+------------------------+
+| ssh-rsa                | ecdsa-sha2-nistp521    |
++------------------------+------------------------+
+| ssh-dss                | ssh-dss                |
++------------------------+------------------------+
+
+If the fingerprint is not known, the list is sent to the server with a predefined sequence.
+However, if the client has already saved a fingerprint for the server, the last used algorithm used is put first.
+
+
+Testing with SSH-MITM
+"""""""""""""""""""""
+
+SSH-MITM has the possibility to check on an incoming connection if a client has a known fingerprint or not.
+
+For this SSH-MITM must be started without additional parameters.
+
+.. code-block:: none
+
+    $ ssh-mitm
+    [INFO]  connected client version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
+    [INFO]  openssh: Client has a locally cached remote fingerprint!
+
+
+Mitigation
+""""""""""
+
+Depending on which client is used, it must be configured differently:
+
+* **Dropbear:** not vulnerable
+* **OpenSSH:** :ref:`CVE-2020-14145`
+* **PuTTY:** :ref:`CVE-2020-14002`

doc/index.rst

@@ -6,6 +6,7 @@ SSH-MITM Docs - Main Page
    :caption: Contents:
 
    quickstart
+   fingerprint
    advanced-usage
    portforwarding
    ssh_vulnerabilities

doc/quickstart.rst

@@ -1,9 +1,6 @@
 Quickstart
 ==========
 
-Introduction
-------------
-
 **SSH-MITM** is a man in the middle SSH Server for security audits and malware analysis.
 
 Password and publickey authentication are supported and SSH-MITM is able to detect, if a user is able to