[NTLUG:Discuss] another question on ssh and mobility

[Fred James]

On the security side, let me run this past you and see what you think:

(1) Anyone with the host name/IP and an ssh client can initiate a 
connection attempt.
(2) If the client computer has never gotten a key from that host before, 
one will be offered.
(3) If the client accepts the key, and keeps it somewhere, subsequent 
connection attempts to the same host will not go through the key 
offering sequence.
(4) The offer of a key is the hosts asking the client if the client 
trust the host, or trust that this is indeed the host the client wants 
to trust
(5) That done, the session(s) is(are) encrypted, and then it is up to 
the login/password to insure that only the proper users have access.

Right so far?

Now, the key is being stored somewhere on that client computer - so I 
assume that someone could find the key - is that right?  If so, of what 
value would it be to that someone?  Of what danger could it be to the 
either the client, or host, computer for that key to be found by someone?


Sean Cook wrote:

>On my Win2K box...
>
>  HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\
>    ->  Sessions
>    ->  SshHostKeys
>
>  and one other location...
>
>Cheers,
>Sean
>

-- 
small is beautiful