| ▲ | ajross 6 hours ago |
| Host key verification is a client feature and is on by default. Have you really never gotten the giant warning after a reinstall? That's what that is. SSH is telling you that the server has changed and isn't what you think. |
|
| ▲ | PhilipRoman 4 hours ago | parent [-] |
| I'm saying that 90% of these setups look like this (or do the equivalent thing manually): ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@192.168...
They have ssh, but no proper key management |
| |
| ▲ | 0xbadcafebee 4 hours ago | parent | next [-] | | Exactly. But 'passive encryption' isn't helpful; if you can see the traffic, you can MITM it. Just RST the connection, wait for the reconnect, intercept. | |
| ▲ | ajross 4 hours ago | parent | prev [-] | | Well, sure. You can turn off host key checking in ssh! But that isn't responsive to a point that (1) host key validation exists in ssh and (2) host key validation is on by default in ssh. | | |
| ▲ | Izkata 3 minutes ago | parent [-] | | Their original comment was referring to people ignoring the warning banner and connecting anyway when the host changes. Not that it doesn't exist. |
|
|
