lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 9 Sep 2014 12:23:59 +0200
From: Busindre ™  <busilezas@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] SSH host key fingerprint - through HTTPS

SSH host key fingerprint - through Terminal

ssh-keyscan -p 22 domain.com > /tmp/rsa &&  ssh-keygen -lf /tmp/rsa

Cheers!


2014-09-02 13:40 GMT+02:00 John Leo <johnleo@...ckssh.com>:

> "source code"
> It's here:
> https://checkssh.com/result/indexdotphp.txt
> Extremely short and easy to read.
>
> "trust the service operators"
> Hey, trust your own eyes. :-) Feel free to audit/use our code.
>
> "a better solution is to use Monkeysphere"
> Professional "certificate authority" vs "OpenPGP web of trust"
> Personally I feel more comfortable with CA.
>
> Best Wishes,
>
>
> On 2014-9-2 02:48, maxigas wrote:
>
>> From: John Leo <johnleo@...ckssh.com>
>> Subject: [FD] SSH host key fingerprint - through HTTPS
>> Date: Mon, 01 Sep 2014 12:41:17 +0800
>>
>>  This tool displays SSH host key fingerprint - through HTTPS.
>>>
>>> SSH is about security; host key matters a lot here; and you can know
>>> for sure by using this tool. It means you know precisely how to answer
>>> this question:
>>> The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
>>> established.
>>> RSA key fingerprint is
>>> a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
>>> Are you sure you want to continue connecting (yes/no)?
>>>
>>> https://checkssh.com/
>>>
>>> We hackers don't want to get hacked. :-) SSH rocks - when host key is
>>> right. Enjoy!
>>>
>>
>> Excellent point and thanks for the tool! Indeed, fingerprint
>> verification is the absolute weak point of SSH. Here the problem
>> is that you have to trust the service operators when you use
>> checkssh or set up your own. Is the source code available
>> somewhere?
>>
>> Also, a better solution is to use Monkeysphere which uses the
>> public key infrastructure of PGP. It can not just check your SSH
>> fingerprints automatically but do a whole lot of other things:
>>
>> http://web.monkeysphere.info/
>>
>> --
>> maxigas, kiberpunk
>> FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166
>> http://research.metatron.ai/
>>
>> People the switches!
>>
>>
>>
>>
>>
>>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ