Topic "Question about ssh fingerprint"

Author Message
nizmo
[View user's profile]

Joined: 2013-07-25
Posts: 1
I must not understand this right.

From my understanding, the SSH fingerprint is to ensure the server you are connecting to is the server you are expecting. According to the FAQ, "The host key fingerprint is generated from public key part of the hostkey only. So it is not secret and can be safely sent over insecure communication channels."

Wouldn't a man in the middle attack be possible if the attacker knew the SSH fingerprint? Couldn't he use the same SSH fingerprint on his machine to fool you into thinking his is the right server?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24512
Location: Prague, Czechia
nizmo wrote:
Wouldn't a man in the middle attack be possible if the attacker knew the SSH fingerprint? Couldn't he use the same SSH fingerprint on his machine to fool you into thinking his is the right server?

Sure he can, but WinSCP then encrypts the data it sends (including your credentials) using that public key. The attacker would not be able to decrypt these as he/she does not know a private key.

For the same reason, anyone can learn a public key of the server using hostname only, as the server needs to announce the public key to a client, even before the client authenticates. That's the point of the key being "public".
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License