On Thu, Sep 04, 2003 at 10:48:55PM -0700, James A. Donald wrote:
On 4 Sep 2003 at 7:56, Eric Murray wrote:
..which means that it [ssh-- ericm] still requires an OOB authentication. (or blinding typing 'yes' and ignoring the consequences). But that's another subject.
Not true. Think about what would happen if you tried a man in the middle attack on an SSH server.
you'd get the victim's session: http://www.monkey.org/%7Edugsong/dsniff/ Abstract dsniff is a collection of tools for network auditing and penetration [..] sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. also see http://sysadmin.oreilly.com/news/silverman_1200.html for discussion.