The fact that SSH tells you the fingerprint has changes. If the user is "dumb" enough to pass by it, and don't care, then he deserves to be "Hijacked".
On 8/31/06, Christ, Bryan <[EMAIL PROTECTED]> wrote:
But if Eve is later challenged to prove her identity (that she must now maintain the illusion of being Alice), what prevents Eve from passing the challenge on to the real Alice, getting valid results, and then passing them back to Bob? On Thu, 2006-08-31 at 10:01 +0400, Eygene Ryabinkin wrote: > Bryan, > > I was looking at the diagram on the URL listed below and contemplating > > how host fingerprinting prevents MITM attacks. > > > > http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html > > > > So my question is this... Given the illustration in the URL above, what > > prevents Eve from *first* contacting Alice to obtain a fingerprint which > > then gets passed to Bob on the first connection attempt? > > She can obtain it, but the fingerprint is closely related to the > Alice's private key that Eve can not obtain easily. So there is > no reason for Eve to pass Alice's fingerprint to Bob, because later > she will not be able to prove to Bob that she has the corresponding > private key and it will break the connection between Bob and Eve.
