Hardware potential to duplicate existing host keys... RSA DSA
ECDSA was Add rc.conf variables...
Dag-Erling Smørgrav
des at des.no
Mon Jun 25 16:09:17 UTC 2012
RW <rwmaillists at googlemail.com> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > You do know that these keys are used only for authentication, and
> > not for encryption, right?
> I'm not very familiar with ssh, but surely they're also used for
> session-key exchange, which makes them crucial to encryption. They
> should be as secure as the strongest symmetric cipher they need to work
> with.
No. They are used for authentication only. This is crypto 101.
Having a copy of the host key allows you to do one thing and one thing
only: impersonate the server. It does not allow you to eavesdrop on an
already-established connection.
If the server is set up to require key-based user authentication, an
attacker would also have to obtain the user's key to mount an effective
man-in-the-middle attack.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list