On 06/25/2012 19:13, Garrett Wollman wrote:
> <<On Mon, 25 Jun 2012 18:55:54 -0700, Doug Barton <[email protected]> said:
>
>> Right. That's what Dag-Erling and I have been saying all along. If you
>> have the private host key you can impersonate the server. That's not a
>> MITM attack. That's impersonating the server.
>
> If you can impersonate an ssh server, you can also do MitM, if the
> client isn't using an authentication mechanism that is securely tied
> to the ephemeral DH key protecting the session. Not clear that this
> makes any difference in practice.
If you're impersonating the server you already have the traffic,
whatever else you can do for *that session* is an implementation detail.
For the zillionth time, my point is that being able to impersonate the
server is not going to get you anywhere for sessions *other* than the
ones that terminate at your fake-but-has-the-private-key host.
If anyone believes otherwise, please post how it can be done, in detail.
Otherwise please let this thread die.
Doug
--
This .signature sanitized for your protection
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
