Re: ssh host ip/id management for dynamic dns servers
On 13/02/14 07:07, Dan Purgert wrote:
> On 12/02/2014 13:30, Paul E Condon wrote:
>> On 20140212_200320, Lars Noodén wrote:
>>> On 02/12/2014 07:34 PM, Paul E Condon wrote:
>>>> ...
>>>> Question: Suppose I encounter this situation of the 'known host' having
>>>> moved to a different IP address (or a different URL?), is there a way
>>>> to discover whether the change is due to a proper functioning DynDNS,
>>>> or to a somewhat unstealthy man-in-the-middle operation? ...
>>>
>>> [...]
>>>
>>> A changing IP leads to filling known_hosts with lots of entries, which
>>> is what Zenaan's original question was about. After the first entry for
>>
>> ^^^^^^^^^^^^^^^^^
>>
>> Yes, but I asked an OT question. The key in knownhosts file is surely
>> not a private key of the host. Rather it is a key that the host
>> publishes to identify itself to all incoming traffic. What keeps a
>> good person, like an well meaning employee of the NSA, from making a
>> copy of the published key and using the copy to spoof the site, in
>> order to check up on the legitimacy of the use of the ssh connection?
>>
>
> The Host ID is based off the SSH private key left on that machine. So
> the only way for your friendly neighborhood NSA agent to generate a
> duplicate host ID is for them to have a copy of your server's private key.
1++
>
>
> -Dan
>
>
>
>
>
And if the person/company running the host is halfway competent they'll
have implemented DNSSEC - so even a stolen SSH keypair won't enable them
to impersonate the host - *if* you check DNSSEC.
NOTE: that like electronic mail signatures, most businesses don't bother
to implement DNSSEC, and most clients don't check - but it's something
to bear in mind.
Kind regards
Reply to: