gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56c85100.hantslug.org.uk.12251': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Thu Apr 10 13:53:40 2008 BST
gpg: using DSA key 2FF22CF403F94B5D
gpg: Can't check signature: No public key
> "The initial connection always has to setup a secure channel to swap
> transport encryption keys. If you can grep these keys you know how to
> un-encrypt the data stream."
>
> Has he got a point?
I think SSH sends the session keys (things like AES keys for the actual
transfers) encrypted using a PK system (DSA, RSA, etc.). The SSH client
just has to ask the remote for their public key. These *should* be
distributed in plaintext. There's no security problem in obtaining a
public key.
> I think the refers to man-in-the-middle. I think you have to be very
> quick to sniff the key and I also though that the keys cannot be reused
> for a different session.
If you sniffed, you'd still see garbage. MITM could be done by someone
proxying the connection, but the public key fingerprint would change.
SSH shouts loudly when this happens. Proper authentication and
certificate-based infrastructure helps prevent MITM attacks.
James
--
The Holy ettlz TheHolyettlz@???
PGP key ID: 03F94B5D
-----------------------------------------------------------------------
