SSH MITM at Best Western

I'm currently staying in a Best Western hotel in Eureka, CA, avoiding the Bay Area heat wave, and I noticed something remarkable: the hotel's free WiFi network performs automatic man-in-the-middle interception of all SSH traffic. I've literally never seen this before on public WiFi... Check it out:

$ ssh
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/jbrown/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/jbrown/.ssh/known_hosts:5
Host key for has changed and you have requested strict checking.
Host key verification failed

Let's do some investigation:

$ ssh -o UserKnownHostsFile=/dev/null
The authenticity of host ' (' can't be established.
ED25519 key fingerprint is SHA256:ErqVjEww5yRVsA1VulMkVL6RCfA3OA6hO0YqMMVOfkE.
+--[ED25519 256]--+
| .=oE**o+        |
| .oO.* B o       |
|o+o =.B O        |
|.+o+.* B +       |
|o +.+ O S        |
|.. . o o         |
|    .            |
|                 |
|                 |
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ED25519) to the list of known hosts.
Received disconnect from port 22:2: Connection blocked because server only allows public key authentication. Please contact your network administrator.
Disconnected from port 22

It looks like it's not generating unique keys for every host, because I get SHA256:ErqVjEww5yRVsA1VulMkVL6RCfA3OA6hO0YqMMVOfkE every time.

Some more useful information:

debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1
$ curl

$ whois

NetRange: -
NetName:        SUDDE
NetHandle:      NET-173-216-0-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19108
Organization:   Suddenlink Communications (SUDDE)
RegDate:        2009-09-16
Updated:        2012-03-20

Based on traceroutes, it really does look like all of my traffic is being routed through some central facility in Texas that's doing god knows what DPI on it1.

I wonder what would happen if I connected to a server that does allow password authentication? Is this middlebox snarfing up usernames and passwords of people dumb enough to accept its fake host-key?

Thankfully, while Best Western blocks most VPNs, it does not yet know about WireGuard, so I'd recommend running everything through WireGuard (or Tailscale) if you happen to be at a Best Western in a part of the country with negligible cellular coverage and want to use the Internet.


They're catching SSH even if I run it on a non-standard port, so they must be running traffic fingerprinting software of some kind, not just matching on tcp/22

Want to comment on this? How about we talk on Mastodon instead? mastodon logo Share on Mastodon