Hardware potential to duplicate existing host keys... RSA DSA
ECDSA was Add rc.conf variables...
Doug Barton
dougb at FreeBSD.org
Tue Jun 26 01:01:30 UTC 2012
On 06/25/2012 17:53, RW wrote:
> On Mon, 25 Jun 2012 16:45:24 -0700
> Doug Barton wrote:
>
>> On 06/25/2012 15:53, RW wrote:
>>> On Mon, 25 Jun 2012 14:59:05 -0700
>>> Doug Barton wrote:
>>>
>>>>>> Having a copy of the host key allows you to do one thing and one
>>>>>> thing only: impersonate the server. It does not allow you to
>>>>>> eavesdrop on an already-established connection.
>>>>>
>>>>> It enables you to eavesdrop on new connections,
>>>>
>>>> Can you describe the mechanism used to do this?
>>>
>>> Through a MITM attack if nothing else
>>
>> Sorry, I wasn't clear. Please describe, in precise, reproducible
>> terms, how one would accomplish this. Or, link to known script-kiddie
>> resources ... whatever. My point being, I'm pretty confident that
>> what you're asserting isn't true. But if I'm wrong, I'd like to learn
>> why.
>
> Servers don't always require client keys for authentication. If they
> don't then a MITM attack only needs the server's key.
Once again, please describe *how* the MITM is accomplished. If you
can't, then please stop posting on this topic.
My point is that the ssh protocol is designed specifically to prevent
what you're describing.
Doug
--
This .signature sanitized for your protection
More information about the freebsd-security
mailing list