On Wed, Feb 27, 2002 at 12:14:21PM -0500, fred (Please remove 1st F from my email) wrote: > > This sometimes presents a problem because > the host I connect to is not always up. All of a > sudden I have to connect to different host at > the far end, one for which I don't have the > public key fingerprint. I've telnetted into the > host, but then thought better of querying the > host for a public key fingerprint, since it would > be displayed over an insecure channel. It > would totally defeat the purpose of confirming > the host's public key fingerprint.
The fingerprint is simply a human readable hash of the SSH server's public key. There is nothing wrong with letting people see the fingerprint. You can put it on billboards, business cards, or web pages. The problem with sending it over a telnet session is that it could be easily tampered with on its way to you. Then you're just as vulnerable to a man-in-the-middle attack as you would be by blindly accepting the public key with no fingerprint verification. However, if you are using telnet to get to the remote host in the first place, then you are opening yourself up to worse problems. Telnet is about the least secure protocol on the planet. Not only is the session data sent in the clear, but so is the authentication data. If you want secure network connectivity then only use SSH and turn off telnet completely. As long as you are using telnet, then encrypting your VNC sessions is probably pretty pointless. > Is this getting overly paranoid? How likely is > it that someone would be waiting right there > and right then to get the public key fingerprint > just to pretend to be the far-end host the next > time you connect? There is a well known SSH man-in-the-middle exploit that is in common use. If security is a big enough concern for you to even be thinking about this kind of attack, then you should do what you can to protect yourself. Keep a copy of fingerprints for every single host you might ever connect to, or find some reliable means to access them remotely (e.g. post them on a web page on an SSL encrypted server, or ask a trusted person to read them to you over the telephone). You don't need to be concerned with keeping the public keys or fingerprints secret (that's why they're called public), but you do need to be concerned with their integrity. > Would it be a reasonable > risk to query the host for its public key fingerprint > over an insecure telnet session, considering that > you never have to repeat the query and thus > never run the risk again? The risk that someone will be ready and waiting to make a coordinated attack which tampers with the fingerprint in your telnet session and then intercepts the SSH connection is very low unless there is someone you suspect would try it against you. But after the attack succeeds just once, every SSH session to that host is wide open from that point until you change the host key (something people don't tend to do very often). Plus, once the attacker can sniff your unencrypted session, other doors will probably open up. Oops. I just noticed that Illtud Daniel already offered a good response. Oh well, this stuff is worth repeating, I guess. :-) -- Mike Ossmann, Tarantella/UNIX Engineer/Instructor Alternative Technology, Inc. http://www.alttech.com/ --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
