Re: spoof rsa fingerprint

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2009-11-15 at 02:32 -0800, Eugeneapolinary Ju wrote:
> so the attacker can't generate a spoofed fingerprint like the one used
> on the server? even when using only password authentication?

[Please don't top-post on this list. See the Guidelines]

Did you read the URL I posted? It's a tutorial with very explicit
information. If you understand how public-key crypto works, you'll
realize that spoofing the fingerprint doesn't help the attacker.

Also, password-only authentication only happens *after* the secure
channel is established. See the ssh(1) manpage:

        Finally, if other authentication methods fail, ssh prompts the
        user for a password.  The password is sent to the remote host
        for
        checking; however, since all communications are encrypted, the
        password cannot be seen by someone listening on the network.

All this assumes that the client and server have had a previous
communication where they set up their keys, which is why in the scenario
you asked about ssh checks the fingerprint. Obviously if the server has
never had such a previous communication, it has no way of genuinely
authenticating the client within the session, so the user either has to
assume averything is OK the first time, or use an out-of-band channel
such as a physical file copy to establish the keys on either side.

poc

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux