SSH host key authentication can be bypassed when DNS is used to resolve localhost

ID VU:786900
Type cert
Reporter CERT
Modified 2002-03-05T00:00:00



This vulnerability allows an attacker to redirect an SSH connection to an arbitary host.


When making connections to localhost, SSH disables host key checking to provide compatibility with NFS filesystems. As a result, if the victim's machine uses a poisoned DNS server to resolve localhost, it is possible to redirect the victim's SSH session to a different host.

In most SSH clients, users are asked to confirm the acceptance of a host key the first time it is presented. If the user accepts the host key, they are asserting that the key represents the host they intended to connect to. But if an attacker exploits this vulnerability, the victim will not be asked for this confirmation because host key checking has been disabled. Therefore, even the most attentive users will not be able to detect that they have been redirected.


Attacker can redirect a victim's SSH connection to an arbitrary host.


Do not use DNS to resolve "localhost". Instead, explicitly configure all hosts to use for localhost.

Systems Affected

Vendor| Status| Date Notified| Date Updated
SSH Communications Security| | -| 06 Feb 2001
OpenSSH| | -| 29 Oct 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>


The CERT/CC thanks Antti Huima, Tuomas Aura, and Janne Salmi for their analysis and Tatu Ylonen for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: Unknown
  • Date Public: 18 Jan 2001
  • Date First Published: 18 Jan 2001
  • Date Last Updated: 05 Mar 2002
  • Severity Metric: 0.46
  • Document Revision: 12