On 13/02/14 07:07, Dan Purgert wrote: > On 12/02/2014 13:30, Paul E Condon wrote: >> On 20140212_200320, Lars Noodén wrote: >>> On 02/12/2014 07:34 PM, Paul E Condon wrote: >>>> ... >>>> Question: Suppose I encounter this situation of the 'known host' having >>>> moved to a different IP address (or a different URL?), is there a way >>>> to discover whether the change is due to a proper functioning DynDNS, >>>> or to a somewhat unstealthy man-in-the-middle operation? ... >>> >>> [...] >>> >>> A changing IP leads to filling known_hosts with lots of entries, which >>> is what Zenaan's original question was about. After the first entry for >> >> ^^^^^^^^^^^^^^^^^ >> >> Yes, but I asked an OT question. The key in knownhosts file is surely >> not a private key of the host. Rather it is a key that the host >> publishes to identify itself to all incoming traffic. What keeps a >> good person, like an well meaning employee of the NSA, from making a >> copy of the published key and using the copy to spoof the site, in >> order to check up on the legitimacy of the use of the ssh connection? >> > > The Host ID is based off the SSH private key left on that machine. So > the only way for your friendly neighborhood NSA agent to generate a > duplicate host ID is for them to have a copy of your server's private key.
1++ > > > -Dan > > > > > And if the person/company running the host is halfway competent they'll have implemented DNSSEC - so even a stolen SSH keypair won't enable them to impersonate the host - *if* you check DNSSEC. NOTE: that like electronic mail signatures, most businesses don't bother to implement DNSSEC, and most clients don't check - but it's something to bear in mind. Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52fc0460.7000...@gmail.com
