1

If a narrow, trusted channel is needed (for example, there is an usb key to take data between the machines), it is okay.

Although SSH will throw a big error if it tries to connect to a server pretending to be another one (RSA fingerprint wont match), it can't happen if the servers don't know eachother (also they don't know eachothers key as well). In this case - also before the first connection - a MitM attack is possible, AFAIK.

The best were a command sequence on both side, which generates the needed keys on both sides.

peterh
  • 2,958
  • 6
  • 26
  • 32
  • What do you mean? SSH will throw a big error if it tries to connect to a server pretending to be another one (RSA fingerprint wont match) and all SSH traffic is encrypted so an MiTM on an SSH connection wont be able to read or send any data. – user36976 May 22 '14 at 12:21
  • @Nick This is impossible before the first contact between the servers. I cleared my question. – peterh May 22 '14 at 12:25
  • Thats why SSH shows you the RSA fingerprint, some hosts show the fingerprint on the control panel so you can verify it, or if its home hosted simply go to the server and check the key via the command line. – user36976 May 22 '14 at 12:28
  • @Nick Yes, it works, but it can't be automatized. It needs human interaction. Another problem: is theoretically possible to alter the rsa key shown by the server in case of a successful mitm attack. – peterh May 22 '14 at 12:31
  • @AJHenderson Although it is not a perfect answer, there is a big overlap and contains many useful informations. – peterh May 22 '14 at 13:47

1 Answers1

1

If the servers do not know each other then every connection is in theory unsecured. You can have a list of known servers, distribute it in your environment and prevent users from establishing connection with unknown servers.

To further protect yourself, you can add the server's fingerprint to DNS record require additional verification during connection. See this tutorial for an example.

Steven Volckaert
  • 1,193
  • 8
  • 15
Greg
  • 126
  • 1