Hi, I'm using the procedure of http://www.uk.research.att.com/vnc/sshwin.html When initiating the ssh connection, Stajano suggests against blindly accepting the public key fingerprint presented by the host computer at the far end. He says that you should first physically go to the computer at the far end and get the public key finger print written on paper so that you can confirm that you're connecting the the right host rather than a pretender.
This sometimes presents a problem because the host I connect to is not always up. All of a sudden I have to connect to different host at the far end, one for which I don't have the public key fingerprint. I've telnetted into the host, but then thought better of querying the host for a public key fingerprint, since it would be displayed over an insecure channel. It would totally defeat the purpose of confirming the host's public key fingerprint. Is this getting overly paranoid? How likely is it that someone would be waiting right there and right then to get the public key fingerprint just to pretend to be the far-end host the next time you connect? Would it be a reasonable risk to query the host for its public key fingerprint over an insecure telnet session, considering that you never have to repeat the query and thus never run the risk again? Fred --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
