Ssh MITM attack when using tor

James Muir jamuir at
Fri Feb 2 21:04:55 UTC 2007

Juliusz Chroboczek wrote:
> What are you supposed to do when you notice a MITM attack?  How do you
> find out the exit node, and where do you report it to?
> I'm running ssh as so:
>   ssh -A -C -o 'ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050' "$@"

Just curious -- how does ssh inform you that a man-in-the-middle (i.e. 
the exit node) is trying to victimize you?

If you have access to the logs on the machine you were ssh'ing into, you 
should find the IP address of the exit node there.  Once you have 
identified the malicious exit node, I would inform one of the Tor 
designers. In the future, you can turn on Tor's logging and look in the 
log file there to see what your exit node is (you may have to turn off 
"SafeLogging" in order to see Tor node names).


More information about the tor-talk mailing list