1

I am aware that running ssh-keyscan on a remote host doesn't prove that the remote host is indeed the one you are trying to connect to, only that it's the same one each time, but what about if I run ssh-keyscan localhost on that host beforehand, and add that info to my known hosts manually?

Is there any way that that can be spoofed too?

What if I do ssh-keyscan 127.0.0.1?

FitzmorrisPR
  • 11
  • 1
  • I realize that with physical access, one can also run a command on the actual key files, but some installations, like Microsoft's native build of openssh, use nonstandard file locations, and don't necessarily document them, so this seems more straightforward, and consistent – FitzmorrisPR Dec 12 '20 at 06:36

0 Answers0