Methods for protection – Nortel Networks NN46120-104 User Manual

258

SSH host keys

Methods for Protection

In many environments, it may be reasonable for a SSH client user to
simply accept the key from a previously unknown remote server host when
prompted by the client, but to achieve strict protection against a "man in
the middle" attack against this very first connection, one of these methods
can be used:

•

Verifying the "fingerprint" (as displayed by the client) of the new remote
host key by some out-of-band means (e.g. verbal communication with
the server administrator).
OR

•

Pre-installing the remote host key (previously transferred by some
out-of-band means) in the client’s key storage, i.e. effectively making
the remote host known even before the first connection.

The server administrator also needs to be able to generate new keys
(e.g. at initial configuration, or in case the old ones are believed to be
compromised), and the client user needs to be able to remove remote host
keys that are no longer valid from the client’s key storage (e.g. due to the
server administrator having generated new keys).

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.