From owner-freebsd-net@freebsd.org  Thu Mar 22 21:01:33 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CB08F6BADB
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 22 Mar 2018 21:01:33 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com
 [69.62.255.118])
 by mx1.freebsd.org (Postfix) with ESMTP id EA6C06B734
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 21:01:32 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1])
 by segfault.tristatelogic.com (Postfix) with ESMTP id 7E94C3AEF8
 for <freebsd-net@freebsd.org>; Thu, 22 Mar 2018 14:01:31 -0700 (PDT)
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Re: Same host or different? How can you tell "over the wire"?
In-Reply-To: <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>
Date: Thu, 22 Mar 2018 14:01:31 -0700
Message-ID: <10556.1521752491@segfault.tristatelogic.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 21:01:33 -0000


In message <201803221856.w2MIuRjH027692@pdx.rh.CN85.dnsmgr.net>, 
"Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> wrote:

>> Well, as someone else noted, if two IP addresses yield the exact same
>> SSH key, that is fairly definitive.
>
>Wrong, as someone else pointed out that is simply a mater of
>copying the /etc/ssh/*host* key files over to the other host.
>This also happens when people clone machines... so is actual
>more common than one might think.
>
>You can be pretty sure they are different machines, but you
>can not assertain they are the same machine with this information.
>You can assert nothing about control with this information.
>
>You can be pretty sure they are under the same control, but
>not provable.  Anyone with elivated privledge access to A
>can copy the /etc/ssh/* files to A'.

Your points are, of course, valid.  However in the absence of the
scenario where Bad Actor `B' has broken in to some machine which
is under the control of Bad Actor `A', and where B has then absconded
with a copy of A's SSH key (and then used that himself as an SSH key)
for my limited purposes, at least, the sighting of two identical
SSH keys on two different IP addresses strongly suggests a high
likelihood that the two IP addreses are indeed under the control of
a single party.

(I should perhaps explain and emphasize that I personally am not by
any means a member of law enforcement.   I do not have the power to
deprive any party of either life or freedom or property.  I am thus,
quite reasonably able to accept a level of "proof" which may be quite
persuasive, even if it does not rise to the level of "beyond a
reasonable doubt".  I am just doing security research... not prosecuting
anybody.)