spoof rsa fingerprint
Patrick O'Callaghan
pocallaghan at gmail.com
Sun Nov 15 13:08:36 UTC 2009
On Sun, 2009-11-15 at 02:32 -0800, Eugeneapolinary Ju wrote:
> so the attacker can't generate a spoofed fingerprint like the one used
> on the server? even when using only password authentication?
[Please don't top-post on this list. See the Guidelines]
Did you read the URL I posted? It's a tutorial with very explicit
information. If you understand how public-key crypto works, you'll
realize that spoofing the fingerprint doesn't help the attacker.
Also, password-only authentication only happens *after* the secure
channel is established. See the ssh(1) manpage:
Finally, if other authentication methods fail, ssh prompts the
user for a password. The password is sent to the remote host
for
checking; however, since all communications are encrypted, the
password cannot be seen by someone listening on the network.
All this assumes that the client and server have had a previous
communication where they set up their keys, which is why in the scenario
you asked about ssh checks the fingerprint. Obviously if the server has
never had such a previous communication, it has no way of genuinely
authenticating the client within the session, so the user either has to
assume averything is OK the first time, or use an out-of-band channel
such as a physical file copy to establish the keys on either side.
poc
More information about the fedora-list
mailing list