SimpleUpdate with SCP - Security Concerns

new

« Prev
1
Next »

okashany
Minnow

Posts: 8

SimpleUpdate with SCP - Security Concerns Jul 3, 2023 10:58:18 GMT

Quote

Post by okashany on Jul 3, 2023 10:58:18 GMT

Hi,

When using the SimpleUpdate action for FW updates with SCP, how can we prevent MITM attacks?
We thought of transferring the server fingerprint in addition to server IP, username and password, but we haven't found a suitable field for that
except for "RemoteServerCertificates".

Any suggestions or insights on these matter would be most welcome.

Thanks,

Okashany

Last Edit: Jul 4, 2023 12:41:05 GMT by okashany

mraineri
Administrator

Posts: 1,051

SimpleUpdate with SCP - Security Concerns Jul 5, 2023 12:37:22 GMT

Quote

Post by mraineri on Jul 5, 2023 12:37:22 GMT

Without having any sort of SSH public key installation, you're correct in that we don't have a standard method of preventing man in the middle attacks. Within the "AggregationSource" schema, we did add TrustedPublicHostKeys, and it seems reasonable to me to add something similar to UpdateService for this case.