gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56fcd100.hantslug.org.uk.12865': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Thu Apr 10 15:31:44 2008 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Thu, Apr 10, 2008 at 01:39:42PM +0100, Ottavio Caruso wrote:
> a colleague writes:
>
> <talking about ssh cipher algorithms>
>
> "The initial connection always has to setup a secure channel to swap
> transport encryption keys. If you can grep these keys you know how to
> un-encrypt the data stream."
>
> Has he got a point?
Nope.
If I recall correctly, ssh uses Diffie-Hellman key exchange by
default. This is a cryptographic protocol based on the same
mathematics used by RSA. It allows two people who have never met to
exchange keys in a way that prevents anyone else from finding those
keys.
From distant memory, DH key exchange also manages to have some
protection against man-in-the-middle attacks (but I could be wrong
about that -- my crypto books are at home).
> I think the refers to man-in-the-middle. I think you have to be very
> quick to sniff the key and I also though that the keys cannot be reused
> for a different session.
>
> Am I totally wrong?
ssh will give you the option to verify the system identity on your
first connection to the machine, and will warn you loudly if that
changes on subsequent connections. If you really care about this sort
of thing, you should be able to ask the system administrator of the
system to give you the ssh identity of the system you're connecting to
so that you can verify that there's no MITM.
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or
http://www.carfax.org.uk
--- "What's so bad about being drunk?" "You ask a glass of water" ---
