spoof rsa fingerprint
Patrick O'Callaghan
pocallaghan at gmail.com
Tue Nov 17 12:53:30 UTC 2009
On Tue, 2009-11-17 at 00:55 -0800, Gordon Messmer wrote:
> On 11/15/2009 05:08 AM, Patrick O'Callaghan wrote:
> >
> > Did you read the URL I posted? It's a tutorial with very explicit
> > information. If you understand how public-key crypto works, you'll
> > realize that spoofing the fingerprint doesn't help the attacker.
> >
>
> In the scenario that the OP hypothesized, yes, spoofing the fingerprint
> would help the attacker. A user who attempted to ssh to the router
> would not be warned that the host had changed and would submit their
> password to a rogue host.
It's my understanding that the password would still be sent over an
encrypted channel (using the original host's public key), so I don't see
the problem.
poc
More information about the users
mailing list