Timing of banner

Eitan Adler lists at eitanadler.com
Sat Jul 2 14:49:38 EST 2011


On Fri, Jul 1, 2011 at 7:50 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 07/01/2011 03:20 PM, Bob Rasmussen wrote:
>> My user's point has a certain validity, I think: the user isn't seeing
>> what they're logging into before giving a username. One might even
>> consider it a security issue, identifying yourself before you know who
>> you're talking to (although I realize the fingerprint verification
>> mitigates this).
>
> From a security standpoint, the fingerprint verification doesn't just
> mitigate this; it is the *only* thing that addresses this security
> concern.  Reliance on a trivially replayable banner for identifying the
> host would be an insecure practice.

The fingerprint doesn't address the issue completely. From a user's
point of view there is no difference between logging into computer1
and logging into computer2 once they have already been authenticated
by the fingerprint (actually this is a client side option, but one I
would not rely on being set correctly). That is unless the computer
has some kind of prompt telling you who they are it is easy to supply
the right credentials to a wrong computer. This is not a security
issue per se, but it can be useful to be notified which computer you
are accessing.


-- 
Eitan Adler


More information about the openssh-unix-dev mailing list