Bug#807239: lftp: can no longer connect with sftp (no matching host key type found)
On 2015-12-09 15:18:44 +0000, Colin Watson wrote:
> On Wed, Dec 09, 2015 at 10:06:32AM +0100, Vincent Lefevre wrote:
> > This from is a SSH server for Android (and the user doesn't seem
> > to have a choice for the type of the host key).
> Please report this to the maintainers of that server. In the meantime
> you'll have to use legacy options.
I've just sent them a mail.
> > > This is unrelated to host key checking or IP checking. It's about the
> > > type of underlying crypto being used to secure the connection.
> > According to what is documented, this appears to be related to
> > host key checking: the error mesage is "no matching *host key*
> > type found" and the option name is HostKeyAlgorithms. In what
> > way it could be insecure in the case where the user doesn't have
> > the key in the ~/.ssh/known_hosts file?
> Weak host keys make it easier to conduct man-in-the-middle attacks.
My point is that with StrictHostKeyChecking = no and no keys for
the host in ~/.ssh/known_hosts, there is no host authentication,
so that a man-in-the-middle attack is already possible, even if
the server provides a strong key. Thus whether a weak host key
is provided by the server or not in this case shouldn't matter.
Vincent Lefèvre <email@example.com> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)