Date: Thu, 04 Jan 2001 18:59:09 -0600 From: David Kelly <dkelly@hiwaay.net> To: Lowell Gilbert <lowell@world.std.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: fingerprint of ssh host pubic key? Message-ID: <200101050059.f050x9p24146@grumpy.dyndns.org> In-Reply-To: Message from Lowell Gilbert <lowell@world.std.com> of "04 Jan 2001 16:34:15 EST." <44pui3f1d4.fsf@lowellg.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert writes: > > I don't know, but I've never used that approach anyway. I *have* > sometimes used an offline method (floppies) for actually moving the > public keys from one machine to another, when I wanted to feel safe > from an impersonation attack. > > If you're dealing with a lot of machines, using fingerprints will save > you a *lot* of time. I didn't go into quite enough detail as to what opened the old wound of wondering where/how to get that fingerprint. What happened is I have a firewall rule allowing a friend to ssh into a system. Log showed attempts to ssh from an unknown IP address. I connected via ssh to that unknown address, which of course was not in known-hosts, so a fingerprint was displayed asking for acceptance. While I have a trusted copy of his public key, without being able to extract the fingerprint there was no way of comparing this one to that one. Later confirmed his ISP had expired the DHCP lease and issued a new address rather than the old. Was not about to type *my* username and password for his machine on an unknown system. Ssh or not. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101050059.f050x9p24146>