On 2015-12-09 15:18:44 +0000, Colin Watson wrote: > On Wed, Dec 09, 2015 at 10:06:32AM +0100, Vincent Lefevre wrote: > > This from is a SSH server for Android (and the user doesn't seem > > to have a choice for the type of the host key). > > Please report this to the maintainers of that server. In the meantime > you'll have to use legacy options.
I've just sent them a mail. > > > This is unrelated to host key checking or IP checking. It's about the > > > type of underlying crypto being used to secure the connection. > > > > According to what is documented, this appears to be related to > > host key checking: the error mesage is "no matching *host key* > > type found" and the option name is HostKeyAlgorithms. In what > > way it could be insecure in the case where the user doesn't have > > the key in the ~/.ssh/known_hosts file? > > Weak host keys make it easier to conduct man-in-the-middle attacks. My point is that with StrictHostKeyChecking = no and no keys for the host in ~/.ssh/known_hosts, there is no host authentication, so that a man-in-the-middle attack is already possible, even if the server provides a strong key. Thus whether a weak host key is provided by the server or not in this case shouldn't matter. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
