A standard tool for secure remote access, the SSH protocol uses public-key cryptography to establish an encrypted and integrity-protected
channel with a remote server. However, widely-deployed implementations of the protocol are vulnerable to man-in-the-middle
attacks, where an adversary substitutes her public key for the server’s. This danger particularly threatens a traveling user
Bob borrowing a client machine.
Imposing a traditional X.509 PKI on all SSH servers and clients is neither flexible nor scalable nor (in the foreseeable future)
practical. Requiring extensive work or an SSL server at Bob’s site is also not practical for many users.
This paper presents our experiences designing and implementing an alternative scheme that solves the public-key security problem
in SSH without requiring such an a priori universal trust structure or extensive sysadmin work—although it does require a
modified SSH client. (The code is available for public download.)
This work was supported in part by the Mellon Foundation, by Internet2/AT&T, and by the Office for Domestic Preparedness,
U.S. Department of Homeland Security (2000-DT-CX-K001). The views and conclusions do not necessarily represent those of the
sponsors. A preliminary version of this paper appeared as Technical Report TR2003-441, Department of Computer Science, Dartmouth
College.