Close Window
 

NEWS YOU CAN USE FROM VANDYKE SOFTWARE

A Monthly Newsletter - December 2002

Implementing good host key policies is an important part of network security in a Secure Shell environment. This issue explains host keys and suggests simple policies and practices to ensure that this security measure is used effectively.

Also this month, new maintenance releases are now available for CRT(TM), SecureCRT(R), and the OpenSSH extended source code.


------------
Contents
------------

1. Feature - Host Keys and Fingerprints
2. New Releases - CRT 4.0.2, SecureCRT 4.0.2, OpenSSH 3.5p1
3. Tips - Resetting Your Terminal Emulator
4. Current Releases
5. Recommended Reading - "The Art of Deception"


-----------------------------------------------------
1. Feature - Host Keys and Fingerprints
-----------------------------------------------------

Ever seen this message and wondered what to do?

-------------------
New Host Key

The host key sent by the server is different from the host key stored in the host key database...
This may mean that a hostile party has "hijacked" your connection and you are not connected to the
server you specified.

It is recommended that you verify your host key before accepting.

Server's host key fingerprint (MD5 hash):
Dc: fb:dd:9f:f2:rg:58:1q:n6:84:3d:8y:w1:0g:v5

Accept Once Accept & Save Cancel
------------

Educating users about the purpose and importance of the host key is a fundamental step in securing the network with SSH. If your organization's security policy doesn't address host keys, it should.

Every SSH server has a public identifier called a host key that it uses to identify itself to an SSH client. Each time a client connects to a server, the server sends its host key to the client. The SSH client verifies the server's identity by comparing this host key to the copy stored in the client's host key database. If an alert like the one above is displayed, the user's role is to find out whether the host key is the correct one and accept or reject it accordingly.

The first time a client connects to a particular server, you will see a message that the host key database does not contain an entry for the hostname. Similarly, if the two host keys don't match, the client is alerted that there may be a problem, generating a warning message, such as the
"New Host Key" dialog above. Since non-matching keys could be the result of anything from a corrupt key file to a fraudulent server, what should you do?

Check the identity of the server using the host key "fingerprint" displayed in the New Host Key dialog. This fingerprint is a unique value computed from the host key, but which does not reveal the secret host key. Users can check this fingerprint over the phone or by other means against the actual server fingerprint.

If you choose "Accept & Save", the client adds the host key to its local host key database. Choose this option only if you are sure that you are connecting to the correct server. "Accept Once" causes the host key from the server to be accepted, allowing a connection but the host key is not saved in the database.

Selecting "Cancel" is the best option if the server's identity can't be verified. This rejects the host key and terminates the connection process.

Here are some suggested policies to use in managing host keys:

- Educate your users not to accept a host key without first verifying the fingerprint.
- Keep a list of host keys fingerprints and their associated hosts.
- Consider distributing a prepopulated host key database file for SecureCRT or other SSH clients.
- Post a list of known host fingerprints to your intranet.
- Keep a backup of your server host keys. If a key is damaged or overwritten, replace it with your original host key. This avoids having to redistribute the new host key, and update the fingerprint.

More information about host keys and fingerprints is available in the SecureCRT and SecureFX Help files.


----------------------------------------------------------------------------------------
2. New Releases - CRT 4.0.2, SecureCRT 4.0.2, OpenSSH 3.5p1
----------------------------------------------------------------------------------------

Maintenance releases are now available for CRT 4.0.2, SecureCRT 4.0.2, and VanDyke's extended version of OpenSSH version 3.5p1 supporting the Public Key Assistant.

You can download these releases at:

http://www.vandyke.com/download/latestreleases.html

If you need quick access to download links for any previous official releases, go to:

http://www.vandyke.com/download/prevreleases.html


Updated OpenSSH Source Code

VanDyke Software has just posted an updated version of extended OpenSSH source code (version 3.5p1) as a free download on our web site. These extensions support the Public Key Assistant feature in all secure VanDyke Software products, allowing end users to upload public keys to an OpenSSH server securely. If your organization uses OpenSSH servers, get the download today:

http://www.vandyke.com/download/os/pks_form.html


----------------------------------------------------------
3. Tips - Resetting Your Terminal Emulator
----------------------------------------------------------

Occasionally, when using a terminal emulator such as CRT or SecureCRT, the emulator can be put into a non-standard state by some sequence of events on the remote system, and the display can get corrupted. In cases where this happens, you can reset the terminal by selecting "Reset" from the Edit menu.


---------------------------
4. Current Releases
---------------------------

Here are direct links to download individual products:

SecureCRT 4.0.2
http://www.vandyke.com/download/securecrt/download.html
CRT 4.0.2
http://www.vandyke.com/download/crt/index.html
SecureFX(R) 2.1.1
http://www.vandyke.com/download/securefx/download.html
VShell(TM) 2.1.1
http://www.vandyke.com/download/vshell/index.html
Entunnel(TM) 1.0.1
http://www.vandyke.com/download/entunnel/index.html
AbsoluteFTP(TM) 2.0.4
http://www.vandyke.com/download/absoluteftp/index.html
OpenSSH 3.5p1 extended
http://www.vandyke.com/download/os/pks_ossh.html


All VanDyke Software products may be downloaded and evaluated at no cost for 30 days. Licenses includes one year of free upgrades and unlimited access to our expert technical support.


Pass it along! If you find this monthly newsletter helpful and informative, forward it to co-workers or friends, or tell them where to sign up.

http://www.vandyke.com/support/newreleasemailinglist.html


---------------------------------------------------------------------
5. Recommended Reading - "The Art of Deception"
---------------------------------------------------------------------

This month's pick is a hacker's collection of exploits written by Kevin Mitnick, one of the most highly publicized computer hackers. Mitnick shows how technology does little to guard against the persuasive skills of the social engineer and offers advice on how to reduce your vulnerability to these master manipulators and frequently destructive criminals.

"The Art of Deception: Controlling the Human Element of Security," by Kevin D. Mitnick, William L. Simon, and Steve Wozniak. Publisher: John Wiley & Sons; ISBN: 0471237124; (2002)

Publishers Weekly wrote: "Mitnick is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive... His alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security. It's not clear whether this book is a means toward that end or a wink-wink, fictionalized account of his exploits, with his name changed to protect his parole terms. Either way, it's a tour de force, a series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone." (Copyright 2002, Cahners Business Information, Inc.)

Read a great book lately? Submit your recommendation to newsletters@vandyke.com. If publish your selection, we'll send you a gorgeous VanDyke Software T-shirt.


Quote of the Month

"Every organization faces [an] uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential those safeguards are for protecting the integrity of sensitive corporate information."
--Kevin Mitnick in "The Art of Deception"


------------------------
Subscription Information
------------------------

VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, you can unsubscribe or change your e-mail address at:

http://www.vandyke.com/support/newreleasemailinglist.html

You may also send an e-mail message to:

listserv@listserv.vandyke.com

with the following message in the body of your e-mail:

unsubscribe vandyke-company-news


---

VanDyke Software, CRT, SecureCRT, SecureFX, Entunnel, AbsoluteFTP, and VShell are trademarks or registered trademarks of VanDyke Software, Inc. All other products and services mentioned are trademarks or registered trademarks of their respective companies.

Close Window