clogin vulnerable to MITM attack with ssh host keys
John Dorsey
dorsey at colquitt.org
Fri Jun 10 19:47:43 UTC 2005
> Well, that's a good question. When the PIX failover happens, wouldn't you
> see a changed key rather than the "I don't have keys for this host" condition
> that I was complaining about at the beginning of this thread? My initial
> thoughts was that the "accept host key if you don't already have one"
> code in RANCID was for making the initial setup go smoother.
Yes, I do see a changed config, not a new one, when the pix failover
happens. Which means I missed something earlier... [clickety-clickety]
Here it is. It looks like I'm running a version of rancid that
already has some hackery to avoid getting those failures. So I'm going over
ground that's been trodden before.
I'm going to look into whether 7.0 gives a hardware-fixed management
IP address, which would remove all concerns. If it does, then I'll just live
with status quo until that point.
Cheers,
John
More information about the Rancid-discuss
mailing list