top | item 46976765

(no title)

I'm saying that 90% of these setups look like this (or do the equivalent thing manually):

   ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@192.168...

They have ssh, but no proper key management

discuss

ajross|18 days ago

Well, sure. You can turn off host key checking in ssh! But that isn't responsive to a point that (1) host key validation exists in ssh and (2) host key validation is on by default in ssh.

Izkata|18 days ago

Their original comment was referring to people ignoring the warning banner and connecting anyway when the host changes. Not that it doesn't exist.

0xbadcafebee|18 days ago

Exactly. But 'passive encryption' isn't helpful; if you can see the traffic, you can MITM it. Just RST the connection, wait for the reconnect, intercept.