[GTALUG] Netgear 5-port Gigabit switch -- $10 ?
D. Hugh Redelmeier
hugh at mimosa.com
Sun Mar 27 22:31:52 UTC 2016
| From: Lennart Sorensen <lsorense at csclub.uwaterloo.ca>
| It is not that simple. DH key exchange works and has been used for a
| long time now because it works.
Yes, but it doesn't prevent man-in-the-middle attacks. For that you
need authentication.
SSH does a few things for authentication.
SSH hosts have keys. An SSH client warns the user if a hosts key has
changed since the last time they talked. This puts little burden on
the user and yet gives some security. But it won't detect a
man-in-the-middle that was there from first contact.
Users can authenticate with a client via passwords or via a public
key. Both require out-of-band installation of credentials.
I think that the password will travel over the wire when authenticating, but
encrypted. But a spoofing server could collect passwords.
With a public key system (like RSA), only a signature goes over the
wire. So a spoofing server could not collect the key. Things get a
little more intricate when you use ssh-agent for forwarding authenticaton.
More information about the talk
mailing list