[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#807239: lftp: can no longer connect with sftp (no matching host key type found)

On 2015-12-09 15:18:44 +0000, Colin Watson wrote:
> On Wed, Dec 09, 2015 at 10:06:32AM +0100, Vincent Lefevre wrote:
> > This from is a SSH server for Android (and the user doesn't seem
> > to have a choice for the type of the host key).
> Please report this to the maintainers of that server.  In the meantime
> you'll have to use legacy options.

I've just sent them a mail.

> > > This is unrelated to host key checking or IP checking.  It's about the
> > > type of underlying crypto being used to secure the connection.
> > 
> > According to what is documented, this appears to be related to
> > host key checking: the error mesage is "no matching *host key*
> > type found" and the option name is HostKeyAlgorithms. In what
> > way it could be insecure in the case where the user doesn't have
> > the key in the ~/.ssh/known_hosts file?
> Weak host keys make it easier to conduct man-in-the-middle attacks.

My point is that with StrictHostKeyChecking = no and no keys for
the host in ~/.ssh/known_hosts, there is no host authentication,
so that a man-in-the-middle attack is already possible, even if
the server provides a strong key. Thus whether a weak host key
is provided by the server or not in this case shouldn't matter.

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: