[Bug 3113] StrictHostKeyChecking=no works with changed 1024 bit RSA hostkeys but fails when 2048 RSA
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jan 28 02:29:18 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3113
--- Comment #2 from Andy Hart <Andy.Hart1 at cgi.com> ---
Created attachment 3352
--> https://bugzilla.mindrot.org/attachment.cgi?id=3352&action=edit
SSH debug connection output as requested
The debug output (ssh -vvv….) if from a ubuntu ssh client, connecting
to a CentOS ssh server. For this capture, the SSH server has a 2048bit
RSA host key. The client started with an empty known_hosts file, and
made a first connection. It accepted and stored the SSH servers host
key. I then modified the stored key in the clients known hosts file,
and repeated the SSH connection , this time with the "-vvv" option .
The connection failed with a warning about a MITM attack, i.e. despite
the "StrictHostKeyChecking=no" set in the config file it did NOT accept
the changed key. However, if I repeat this test with a 1024bit RSA key
on the SSH server and no MITM attack is reported
Regards,
Andy
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list