Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Question about ssh fingerprint

nizmo wrote:

Wouldn't a man in the middle attack be possible if the attacker knew the SSH fingerprint? Couldn't he use the same SSH fingerprint on his machine to fool you into thinking his is the right server?

Sure he can, but WinSCP then encrypts the data it sends (including your credentials) using that public key. The attacker would not be able to decrypt these as he/she does not know a private key.

For the same reason, anyone can learn a public key of the server using hostname only, as the server needs to announce the public key to a client, even before the client authenticates. That's the point of the key being "public".
nizmo

Question about ssh fingerprint

I must not understand this right.

From my understanding, the SSH fingerprint is to ensure the server you are connecting to is the server you are expecting. According to the FAQ, "The host key fingerprint is generated from public key part of the hostkey only. So it is not secret and can be safely sent over insecure communication channels."

Wouldn't a man in the middle attack be possible if the attacker knew the SSH fingerprint? Couldn't he use the same SSH fingerprint on his machine to fool you into thinking his is the right server?