[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Bob Toxen wrote:

>On Sat, Oct 23, 2004 at 07:26:17PM -0400, Jim Popovitch wrote:
>  
>
>>I believe the man-in-middle message is derived from accessing a server
>>that has a different server key cached in ~/.ssh/known_hosts.  You
>>should be able access the same box by multiple names/IPs without getting
>>that notice.  I suspect that you are reusing a host name from one box on
>>anther box and that your known_hosts file still has an entry from old
>>host.
>>    
>>
>Yes, the warning about the MITM is if the known_hosts host key is different.
>However, SSH is too stupid to correlate with the IP rather than the one of
>many names used to derive the IP -- OR --- maybe they are trying to cope
>with dynamic IP, in which case their scheme does work.  If the latter, it
>was a poor design choice as it's rare that a server has a dynamic IP.
>
>I too find this annoying.
>
>Bob Toxen
>bob at verysecurelinux.com               [Please use for email to me]
&gt;<a  rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a>        [Network&amp;Linux/Unix security consulting]
&gt;<a  rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My book:&quot;Real World Linux Security 2/e&quot;]
&gt;Quality Linux &amp; UNIX security and SysAdmin &amp; software consulting since 1990.
&gt;
&gt;&quot;Microsoft: Unsafe at any clock speed!&quot;
&gt;   -- Bob Toxen 10/03/2002
&gt;
&gt;  
&gt;
&gt;&gt;-Jim P.
&gt;&gt;    
&gt;&gt;
&gt;
&gt;  
&gt;
&gt;&gt;On Sat, 2004-10-23 at 16:44 -0400, David Corbin wrote:
&gt;&gt;    
&gt;&gt;
&gt;&gt;&gt;If I ever reference a host on a ssh command by an alternate name, it &quot;fails&quot; 
&gt;&gt;&gt;with a message warning about the possibility of a man in the middle attack.  
&gt;&gt;&gt;Is there any way to tell ssh to not pester me about this, or to list several 
&gt;&gt;&gt;hostnames for the same RSA key?
&gt;&gt;&gt;
&gt;&gt;&gt;david
&gt;&gt;&gt;      
&gt;&gt;&gt;
&gt;_______________________________________________
&gt;Ale mailing list
&gt;Ale at ale.org
&gt;<a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;
&gt;  
&gt;


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00879" href="msg00879.html">[ale] ssh - no spoofing check</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00841" href="msg00841.html">[ale] ssh - no spoofing check</a></strong>
<ul><li><em>From:</em> dcorbin at machturtle.com (David Corbin)</li></ul></li>
<li><strong><a name="00845" href="msg00845.html">[ale] ssh - no spoofing check</a></strong>
<ul><li><em>From:</em> jimpop at yahoo.com (Jim Popovitch)</li></ul></li>
<li><strong><a name="00871" href="msg00871.html">[ale] ssh - no spoofing check</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00875.html">[ale] Fedora</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00877.html">[ale] Fedora</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00871.html">[ale] ssh - no spoofing check</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00879.html">[ale] ssh - no spoofing check</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00876"><strong>Date</strong></a></li>
<li><a href="threads.html#00876"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>