Re: spoof rsa fingerprint

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gordon Messmer wrote:
> On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote:
>>
>> It's my understanding that the password would still be sent over an
>> encrypted channel (using the original host's public key), so I don't see
>> the problem.
>>    
> 
> There is no original host in the hypothesized scenario.  There's an
> attacker whose public key has a fingerprint that matches the original
> host.  The victim connects to the attacker instead of the original
> host.  Since the original host isn't involved, the original host's key
> won't be either.
> 
> However, as previously stated, this is extraordinarily difficult by design.
> 
From the original post:

> what happens, if someone turns off my router, then installs a pc
> with ip 192.168.1.1?
>
> And! - it spoofs _the same rsa fingerprint_, that was on my
> router.

I think what the OP was missing was that the fingerprint being sent
is telling you what public key to use. If you already have that key,
then the replacement machine is out of luck unless it also has the
matching private key.

Now, if the fingerprint sent does not match a public key in
known_hosts, and the host is not known, you will be asked to accept
the public key. But if the host is known, and the fingerprint does
not match, you will be warned about a possible man-in-the-middle
attach, and will have to authorize the connection.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux