On Mon, 30 Jan 2017 09:55:29 -0600, Kirk Wolf wrote:
>With SSH host authentication, the ssh server has the private key and you
>need to get the matching public key into your known_hosts or
>/etc/ssh/ssh_known_hosts
>
>The ssh-keyscan returns the public key(s).
>This public key should be obtained or verified independently on untrusted
>networks. Once you have it, a Man-In-The-Middle attack would be detected.
>
A Google search:
https://www.google.com/search?q=known_hosts+mitm
Finds this, which concurs and which seems reasonable to me and you affirm:
https://serverfault.com/questions/132970/can-i-automatically-add-a-new-host-to-known-hosts/316100
@Mnebuerquo: If you were worried about security then you wouldn't have
anything at all to do
with this question. You'd have the correct host key in front of you,
gathered from the console
of the system you wanted to connect to, and you would manually verify it
upon first connecting.
You certainly wouldn't do anything "automatically". – Ignacio
Vazquez-Abrams Jun 15 '16 at 17:31
>You can also have ssh display the "ascii art" fingerprint of public key(s)
>for visual verification:
>
Transmitted independently and securely. Courier pouch?
>ssh-keygen -lv -f ~/.ssh/known_hosts
>...
>2048 3b:87:95:6d:74:84:4f:d4:8e:bd:63:65:b1:5b:8e:74 [localhost]:6622 (RSA)
>+--[ RSA 2048]----+
>| oo. |
>| .....|
>| .o.+o|
>| + .+.E|
>| S o o. ==|
>| + . .=.|
>| + . . .|
>| o |
>| |
>+-----------------+
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
