On Tue, 2009-11-17 at 08:33 -0800, Gordon Messmer wrote: > On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote: > > > > It's my understanding that the password would still be sent over an > > encrypted channel (using the original host's public key), so I don't see > > the problem. > > > > There is no original host in the hypothesized scenario. There's an > attacker whose public key has a fingerprint that matches the original > host. The victim connects to the attacker instead of the original > host. Since the original host isn't involved, the original host's key > won't be either. No, the OP's scenario is that there *was* an original host, which presumably set up the key pair and established a fingerprint. That's the assumption behind everything I've been saying. poc -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines