1

If a narrow, trusted channel is needed (for example, there is an usb key to take data between the machines), it is okay.

Although SSH will throw a big error if it tries to connect to a server pretending to be another one (RSA fingerprint wont match), it can't happen if the servers don't know eachother (also they don't know eachothers key as well). In this case - also before the first connection - a MitM attack is possible, AFAIK.

The best were a command sequence on both side, which generates the needed keys on both sides.

Improve this question
5
  • What do you mean? SSH will throw a big error if it tries to connect to a server pretending to be another one (RSA fingerprint wont match) and all SSH traffic is encrypted so an MiTM on an SSH connection wont be able to read or send any data. Commented May 22, 2014 at 12:21
  • @Nick This is impossible before the first contact between the servers. I cleared my question. Commented May 22, 2014 at 12:25
  • Thats why SSH shows you the RSA fingerprint, some hosts show the fingerprint on the control panel so you can verify it, or if its home hosted simply go to the server and check the key via the command line. Commented May 22, 2014 at 12:28
  • @Nick Yes, it works, but it can't be automatized. It needs human interaction. Another problem: is theoretically possible to alter the rsa key shown by the server in case of a successful mitm attack. Commented May 22, 2014 at 12:31
  • @AJHenderson Although it is not a perfect answer, there is a big overlap and contains many useful informations. Commented May 22, 2014 at 13:47

1 Answer 1

Reset to default
1

If the servers do not know each other then every connection is in theory unsecured. You can have a list of known servers, distribute it in your environment and prevent users from establishing connection with unknown servers.

To further protect yourself, you can add the server's fingerprint to DNS record require additional verification during connection. See this tutorial for an example.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.