On 08/08/2017 06:58 PM, Roman Mamedov wrote: > On Tue, 8 Aug 2017 18:51:51 -1100 > Mirimir <miri...@riseup.net> wrote: > >> On 08/08/2017 01:48 PM, Steven Chamberlain wrote: >>> Hi, >>> >>> I often run my SSH sessions via Tor using tsocks. But today I see: >>> >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>> Someone could be eavesdropping on you right now (man-in-the-middle >>> attack)! >>> It is also possible that a host key has just been changed. >>> The fingerprint for the RSA key sent by the remote host is >>> e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a. >> >> I've seen that happen with Digital Ocean droplets. And when I've >> checked, I've found that the host key had, in fact, changed. Did you >> check for that? >> >>> The authenticity of host '8.8.8.8 (8.8.8.8)' can't be established. >>> RSA key fingerprint is e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a. >>> Are you sure you want to continue connecting (yes/no)? : >> >> That's not even a host key change. It's just that you don't yet have the >> host key. >> >>> I could be wrong, but I think this "dropbear" service is most likely >>> something malicious, running on one or more Tor exit nodes, attempting >>> to collect passwords of people logging in this way. >> >> No, dropbear is an SSH server that 8.8.8.8 seems to be running. > > Did you try ssh'ing into 8.8.8.8 (outside of Tor)? It does not run a public > SSH server at all (obviously). > > The point was to demonstrate that the exit node intercepts port 22 connections > to any IP, and redirects them to the same particular instance of dropbear. > Note how in both cases it's the same key fingerprint of > e7:0e:73:a5:88:23:67:9c:01:87:3c:61:96:f6:e8:0a.
Oops, I missed the fact that the key fingerprints are the same :( _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays