Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Mar 2018 14:01:31 -0700
From:      "Ronald F. Guilmette" <rfg@tristatelogic.com>
To:        FreeBSD Net <freebsd-net@freebsd.org>
Subject:   Re: Same host or different? How can you tell "over the wire"?
Message-ID:  <10556.1521752491@segfault.tristatelogic.com>
In-Reply-To: <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>

next in thread | previous in thread | raw e-mail | index | archive | help

In message <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>, 
"Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> wrote:

>> Well, as someone else noted, if two IP addresses yield the exact same
>> SSH key, that is fairly definitive.
>
>Wrong, as someone else pointed out that is simply a mater of
>copying the /etc/ssh/*host* key files over to the other host.
>This also happens when people clone machines... so is actual
>more common than one might think.
>
>You can be pretty sure they are different machines, but you
>can not assertain they are the same machine with this information.
>You can assert nothing about control with this information.
>
>You can be pretty sure they are under the same control, but
>not provable.  Anyone with elivated privledge access to A
>can copy the /etc/ssh/* files to A'.

Your points are, of course, valid.  However in the absence of the
scenario where Bad Actor `B' has broken in to some machine which
is under the control of Bad Actor `A', and where B has then absconded
with a copy of A's SSH key (and then used that himself as an SSH key)
for my limited purposes, at least, the sighting of two identical
SSH keys on two different IP addresses strongly suggests a high
likelihood that the two IP addreses are indeed under the control of
a single party.

(I should perhaps explain and emphasize that I personally am not by
any means a member of law enforcement.   I do not have the power to
deprive any party of either life or freedom or property.  I am thus,
quite reasonably able to accept a level of "proof" which may be quite
persuasive, even if it does not rise to the level of "beyond a
reasonable doubt".  I am just doing security research... not prosecuting
anybody.)




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10556.1521752491>