SSH MITM at Best Western

I'm currently staying in a Best Western hotel in Eureka, CA, avoiding the Bay Area heat wave, and I noticed something remarkable: the hotel's free WiFi network performs automatic man-in-the-middle interception of all SSH traffic. I've literally never seen this before on public WiFi... Check it out:

$ ssh github.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:lDE/b9yqZmX2oUniEgQvWsxWeq7wyRTghSYS649tLHk.
Please contact your system administrator.
Add correct host key in /Users/jbrown/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/jbrown/.ssh/known_hosts:5
Host key for github.com has changed and you have requested strict checking.
Host key verification failed

Let's do some investigation:

$ ssh -o UserKnownHostsFile=/dev/null github.com
The authenticity of host 'github.com (192.30.255.113)' can't be established.
ED25519 key fingerprint is SHA256:ErqVjEww5yRVsA1VulMkVL6RCfA3OA6hO0YqMMVOfkE.
+--[ED25519 256]--+
| .=oE**o+        |
| .oO.* B o       |
|o+o =.B O        |
|.+o+.* B +       |
|o +.+ O S        |
|.. . o o         |
|    .            |
|                 |
|                 |
+----[SHA256]-----+
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
Received disconnect from 192.30.255.113 port 22:2: Connection blocked because server only allows public key authentication. Please contact your network administrator.
Disconnected from 192.30.255.113 port 22

It looks like it's not generating unique keys for every host, because I get SHA256:ErqVjEww5yRVsA1VulMkVL6RCfA3OA6hO0YqMMVOfkE every time.

Some more useful information:

debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1
$ curl ifconfig.me
173.219.119.251

$ whois 173.219.119.251
# whois.arin.net

NetRange:       173.216.0.0 - 173.219.255.255
CIDR:           173.216.0.0/14
NetName:        SUDDE
NetHandle:      NET-173-216-0-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS19108
Organization:   Suddenlink Communications (SUDDE)
RegDate:        2009-09-16
Updated:        2012-03-20
Comment:        http://www.suddenlink.com
Ref:            https://rdap.arin.net/registry/ip/173.216.0.0

Based on traceroutes, it really does look like all of my traffic is being routed through some central facility in Texas that's doing god knows what DPI on it1.

I wonder what would happen if I connected to a server that does allow password authentication? Is this middlebox snarfing up usernames and passwords of people dumb enough to accept its fake host-key?

Thankfully, while Best Western blocks most VPNs, it does not yet know about WireGuard, so I'd recommend running everything through WireGuard (or Tailscale) if you happen to be at a Best Western in a part of the country with negligible cellular coverage and want to use the Internet.

1

They're catching SSH even if I run it on a non-standard port, so they must be running traffic fingerprinting software of some kind, not just matching on tcp/22


Want to comment on this? How about we talk on Mastodon instead? mastodon logo Share on Mastodon