On Thu May 22 2008, Toshio Kuratomi wrote: > It seems like this would be open to attack in the special case where the > user has never logged into 1) The server they think they're connecting > to 2) The machine the malicious server is actually trying to > authenticate them against. In this scenario the client doesn't have > host keys for either of the remote machines so it's unable to verify > that the malicious server is lying to it. This is also not possible with public key authentication, because the server needs to create a signature with the host key when the session encryption key is generated. In case the attacker forwards the network traffic in this phase to the other server, he will not be able to decrypt the authentication phase. If he uses its own host key, then the signature used for authentication will not be accepted by the other server. Regards, Till
Description: This is a digitally signed message part.