Date: Thu, 22 Mar 2018 14:01:31 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Same host or different? How can you tell "over the wire"? Message-ID: <10556.1521752491@segfault.tristatelogic.com> In-Reply-To: <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>, "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> wrote: >> Well, as someone else noted, if two IP addresses yield the exact same >> SSH key, that is fairly definitive. > >Wrong, as someone else pointed out that is simply a mater of >copying the /etc/ssh/*host* key files over to the other host. >This also happens when people clone machines... so is actual >more common than one might think. > >You can be pretty sure they are different machines, but you >can not assertain they are the same machine with this information. >You can assert nothing about control with this information. > >You can be pretty sure they are under the same control, but >not provable. Anyone with elivated privledge access to A >can copy the /etc/ssh/* files to A'. Your points are, of course, valid. However in the absence of the scenario where Bad Actor `B' has broken in to some machine which is under the control of Bad Actor `A', and where B has then absconded with a copy of A's SSH key (and then used that himself as an SSH key) for my limited purposes, at least, the sighting of two identical SSH keys on two different IP addresses strongly suggests a high likelihood that the two IP addreses are indeed under the control of a single party. (I should perhaps explain and emphasize that I personally am not by any means a member of law enforcement. I do not have the power to deprive any party of either life or freedom or property. I am thus, quite reasonably able to accept a level of "proof" which may be quite persuasive, even if it does not rise to the level of "beyond a reasonable doubt". I am just doing security research... not prosecuting anybody.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10556.1521752491>