Host Verification Imperitive: Verify the hosts key! Upon first connection, verify the host key. If you don't, you could be vulnerable to man-in-the-middle attacks. Someone steals your password, modifies your bits, etc. MITM attacker cannot use actual host key, so it'd differ from the one you see on the network. It's best if you know the fingerprint through some offline method before connecting. Available on a trusted SSL-protected web page, stored in palm pilot, laminated card in wallet, etc. Worst case: verify the key after logging in. Not as secure. Key may not be readable by non-root users. If host key ever changes, you'll get a big warning. Can happen legitimately Server upgrade and new keys generated. New SSH protocol added.
Copyright 2004, Bri Hatch of Onsight, Inc.
Presented at LFNW - LinuxFest Northwest, Bellingham, Washington, Apr 2004
Presentation created using vim and MagicPoint.