From owner-freebsd-questions Thu Jan 4 16:59:19 2001 From owner-freebsd-questions@FreeBSD.ORG Thu Jan 4 16:59:17 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-56-41.knology.net [24.214.56.41]) by hub.freebsd.org (Postfix) with ESMTP id 548CF37B400 for ; Thu, 4 Jan 2001 16:59:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.1/8.11.1) with ESMTP id f050x9p24146; Thu, 4 Jan 2001 18:59:09 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200101050059.f050x9p24146@grumpy.dyndns.org> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Lowell Gilbert Cc: freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: fingerprint of ssh host pubic key? In-reply-to: Message from Lowell Gilbert of "04 Jan 2001 16:34:15 EST." <44pui3f1d4.fsf@lowellg.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 04 Jan 2001 18:59:09 -0600 Sender: dkelly@grumpy.dyndns.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Lowell Gilbert writes: > > I don't know, but I've never used that approach anyway. I *have* > sometimes used an offline method (floppies) for actually moving the > public keys from one machine to another, when I wanted to feel safe > from an impersonation attack. > > If you're dealing with a lot of machines, using fingerprints will save > you a *lot* of time. I didn't go into quite enough detail as to what opened the old wound of wondering where/how to get that fingerprint. What happened is I have a firewall rule allowing a friend to ssh into a system. Log showed attempts to ssh from an unknown IP address. I connected via ssh to that unknown address, which of course was not in known-hosts, so a fingerprint was displayed asking for acceptance. While I have a trusted copy of his public key, without being able to extract the fingerprint there was no way of comparing this one to that one. Later confirmed his ISP had expired the DHCP lease and issued a new address rather than the old. Was not about to type *my* username and password for his machine on an unknown system. Ssh or not. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message