On Sat, Jun 16, 2001 at 01:51:53AM +0530, Anirban Biswas. wrote:
> $ ssh -l lognname myproject.sourceforge.net(it is my server's address)
>
> & I am getting a messege.
>
> The authenticity of host 'warboard.sourceforge.net' can't be
> established.
> DSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
> (here it is not 'xx' but some alphanumeric data I gave this because I do
> not want to post my DSA finger print.
> Are you sure you want to continue connecting (yes/no)?
The exact sentence should have been:
lutzpc 35: slogin -l logname warboard.sourceforge.net
The authenticity of host 'warboard.sourceforge.net (216.136.171.201)' can't be
established.
DSA key fingerprint is 4c:68:03:d4:5c:58:a6:1d:9d:17:13:24:14:48:ba:99.
Are you sure you want to continue connecting (yes/no)?
Your ssh client tells you that it cannot positively verify the identity
of host 'warboard.sourceforge.net (216.136.171.201)'. warboard sent its
public key, which has the fingerprint shown above.
The people setting up the account should have sent you either a copy
of the fingerprint or the DSA private key that you should add to your
known_hosts2 file. If you would have it on file, ssh would not ask.
If the fingerprint matches, you can continue the connection.
If you cannot positively verify the identity of the peer, there is a
possibility left, that an attacker might have installed a host capturing
your packages and resending it to the real host (man in the middle attack).
This attacker would be able to record your complete communication including
your passwords.
Therefore ssh asks you whether you want to take this risk.
(It is a question of _your_ risk assessment, whether you consider this a
real thread or more a theoretical danger.)
I just performed a short search on www.sourceforge.net for the keywords
"ssh fingerprint" or "ssh public key", "ssh host key" and didn't find
anything, but a google search for "sourceforge ssh key" did immediately
reveal the wanted information:
http://sourceforge.net/docman/display_doc.php?docid=3088&group_id=1
The information says, that the fingerprint matches the SSH2 key of
shell.sourceforge.net.
Please use the "https" service to check this values, so that you can be
sure that nobody did tamper around with the contents of this webpage.
Best regards,
Lutz
PS. I did a complete analysis that may be looking a bit paranoid.
In 99.99% everything will be ok and you just wasted your time. On the
other hand...
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
