On Tue, 8 Aug 2017 18:51:51 -1100 Mirimir mirimir@riseup.net wrote:
On 08/08/2017 01:48 PM, Steven Chamberlain wrote:
Hi,
I often run my SSH sessions via Tor using tsocks. But today I see:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
I've seen that happen with Digital Ocean droplets. And when I've checked, I've found that the host key had, in fact, changed. Did you check for that?
The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established. RSA key fingerprint is e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a. Are you sure you want to continue connecting (yes/no)? :
That's not even a host key change. It's just that you don't yet have the host key.
I could be wrong, but I think this "dropbear" service is most likely something malicious, running on one or more Tor exit nodes, attempting to collect passwords of people logging in this way.
No, dropbear is an SSH server that 8.8.8.8 seems to be running.
Did you try ssh'ing into 8.8.8.8 (outside of Tor)? It does not run a public SSH server at all (obviously).
The point was to demonstrate that the exit node intercepts port 22 connections to any IP, and redirects them to the same particular instance of dropbear. Note how in both cases it's the same key fingerprint of e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.