← Back to context

Comment by ajross

10 days ago

Host key verification is a client feature and is on by default. Have you really never gotten the giant warning after a reinstall? That's what that is. SSH is telling you that the server has changed and isn't what you think.

4 comments

ajross

Reply
PhilipRoman  10 days ago

I'm saying that 90% of these setups look like this (or do the equivalent thing manually):

   ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@192.168...

They have ssh, but no proper key management

  • ajross  10 days ago

    Well, sure. You can turn off host key checking in ssh! But that isn't responsive to a point that (1) host key validation exists in ssh and (2) host key validation is on by default in ssh.

    • Izkata  10 days ago

      Their original comment was referring to people ignoring the warning banner and connecting anyway when the host changes. Not that it doesn't exist.

  • 0xbadcafebee  10 days ago

    Exactly. But 'passive encryption' isn't helpful; if you can see the traffic, you can MITM it. Just RST the connection, wait for the reconnect, intercept.