so the attacker can't generate a spoofed fingerprint like the one used on the server? even when using only password authentication? --- On Sun, 11/15/09, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > From: Patrick O'Callaghan <pocallaghan@xxxxxxxxx> > Subject: Re: spoof rsa fingerprint > To: fedora-list@xxxxxxxxxx > Date: Sunday, November 15, 2009, 1:27 AM > On Sat, 2009-11-14 at 15:09 -0800, > Eugeneapolinary Ju wrote: > > When I first log in to my router [192.168.1.1] through > ssh, it says: > > > > The authenticity of host 'XXXX.XX (192.168.1.1)' can't > be established. > > RSA key fingerprint is > 51:c6:d1:7a:45:c4:74:3e:31:ee:3a:5a:2d:e1:bf:74. > > Are you sure you want to continue connecting > (yes/no)? > > > > that's OK [it gets stored in the known_hosts file, on > my client machine]. > > > > But: > > > > what happens, if someone turns off my router, then > installs a pc with ip 192.168.1.1? > > > > And! - it spoofs _the same rsa fingerprint_, that was > on my router. > > > > Then, when I want to log in to 192.168.1.1, I will > type my password, and it will stole my password... > > > > So the question is: > > > > Could that be possible, to spoof the rsa_fingerprint? > [because the router say's the fingerprint when first logging > in to it, etc..so could that be spoofed?] > > The fingerprint is simply a hash of the router's full > public key. > Spoofing the fingerprint still won't enable the spoofer to > understand > encrypted communications sent to them (which will continue > to use the > router's genuine public key since the client hasn't noticed > anything > changed). The spoofer can't guess the private key from the > public key > without physical access to the router. > > If the spoofer generates its own public/private key pair, > the client > will notice that the signature changed. That's the point of > the warning > message. > > See http://www.securityfocus.com/infocus/1806 > > poc > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines