Date: Mon, 25 Jun 2012 22:13:00 -0400 From: Garrett Wollman <wollman@bimajority.org> To: Doug Barton <dougb@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Hardware potential to duplicate existing host keys... RSA DSA ECDSA was Add rc.conf variables... Message-ID: <20457.6828.250844.390589@hergotha.csail.mit.edu> In-Reply-To: <4FE916AA.6050503@FreeBSD.org> References: <CA%2BQLa9A4gdgPEn3YBpExTG05e4mqbgxr2kJ16BQ27OSozVmmwQ@mail.gmail.com> <86zk7sxvc3.fsf@ds4.des.no> <CA%2BQLa9Dyu96AxmCNLcU8n5R21aTH6dStDT004iA516EH=jTkvQ@mail.gmail.com> <20120625023104.2a0c7627@gumby.homeunix.com> <86pq8nxtjp.fsf@ds4.des.no> <20120625223807.4dbeb91d@gumby.homeunix.com> <4FE8DF29.50406@FreeBSD.org> <20120625235310.3eed966e@gumby.homeunix.com> <4FE8F814.5020906@FreeBSD.org> <20120626015323.02b7f348@gumby.homeunix.com> <4FE9094A.4080605@FreeBSD.org> <20120626024624.4c333bd2@gumby.homeunix.com> <4FE916AA.6050503@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Mon, 25 Jun 2012 18:55:54 -0700, Doug Barton <dougb@freebsd.org> said: > Right. That's what Dag-Erling and I have been saying all along. If you > have the private host key you can impersonate the server. That's not a > MITM attack. That's impersonating the server. If you can impersonate an ssh server, you can also do MitM, if the client isn't using an authentication mechanism that is securely tied to the ephemeral DH key protecting the session. Not clear that this makes any difference in practice. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20457.6828.250844.390589>