clogin vulnerable to MITM attack with ssh host keys

John Dorsey dorsey at
Fri Jun 10 19:47:43 UTC 2005

> Well, that's a good question.  When the PIX failover happens, wouldn't you
> see a changed key rather than the "I don't have keys for this host" condition
> that I was complaining about at the beginning of this thread?  My initial
> thoughts was that the "accept host key if you don't already have one"
> code in RANCID was for making the initial setup go smoother.

	Yes, I do see a changed config, not a new one, when the pix failover
happens.  Which means I missed something earlier... [clickety-clickety]

	Here it is.  It looks like I'm running a version of rancid that
already has some hackery to avoid getting those failures.  So I'm going over
ground that's been trodden before.

	I'm going to look into whether 7.0 gives a hardware-fixed management
IP address, which would remove all concerns.  If it does, then I'll just live
with status quo until that point.


More information about the Rancid-discuss mailing list