Re: man in the middle attack ?

To: debian-user@lists.debian.org
Subject: Re: man in the middle attack ?
From: Gaël DONVAL <gael.donval@cnrs-imn.fr>
Date: Tue, 21 Aug 2012 11:27:27 +0200
Message-id: <[🔎] 1345541247.4513.72.camel@p76-nom-gd.cnrs-imn.fr>
In-reply-to: <[🔎] CALuYw2zMFMh1+0cnZsKv+_qducRCGPhmfCQZRWm2Q8zVgnr+zQ@mail.gmail.com>
References: <[🔎] CALuYw2zMFMh1+0cnZsKv+_qducRCGPhmfCQZRWm2Q8zVgnr+zQ@mail.gmail.com>

Le lundi 20 août 2012 à 17:29 -0300, Dr Beco a écrit :
> What should I do, or where should I look, to understand this problem?
> 
> Can I log in with my account remotely to see the problem, or should I
> better log in locally? 

Just do what it says. If you can log in locally, you can try 
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
to get the fingerprint and compare it with the new one. You should NOT
need root privilege for that.

But as other said, an ssh public key can't change on its own: somebody
needs to have done something (IT, attacker, intern ;) or else there is a
hardware failure. In any case, the only "immediate action" is to
investigate as you did by plugging off the server. In this case this was
an involuntary and harmless, yet real, MITM attack.

Reply to:

References:
- man in the middle attack ?
  - From: Dr Beco <rcb@beco.cc>

Prev by Date: Re: Nagios shows only one Host (Services)
Next by Date: Re: man in the middle attack ?
Previous by thread: Re: man in the middle attack ?
Next by thread: Re: man in the middle attack ?
Index(es):
- Date
- Thread