@@ -188,15 +188,21 @@ time. The first time a client connects to a particular server, the SSH
188188application warns the user that it has never talked to this machine
189189before and asks if the user wants to continue. Although it is a risky
190190thing to do, because SSH is effectively not able to authenticate the
191- server, users often say “yes” to this question. The SSH application then
192- remembers the server’s public key, and the next time the user connects
193- to that same machine it compares this saved key with the one the server
191+ server, users often say “yes” to this question. This is known as
192+ "Trust on First Use" (TOFU). The SSH application then
193+ remembers the server’s public key; the next time the user connects
194+ to that same machine, it compares this saved key with the one the server
194195responds with. If they are the same, SSH authenticates the server. If
195196they are different, however, the SSH application again warns the user
196197that something is amiss, and the user is then given an opportunity to
197- abort the connection. Alternatively, the prudent user can learn the
198- server’s public key through some out-of-band mechanism, save it on the
199- client machine, and thus never take the “first time” risk.
198+ abort the connection.
199+
200+ As an alternative to trust on first use, the prudent user can learn
201+ the server’s public key through some out-of-band mechanism, save it on
202+ the client machine, and thus never take the “first time” risk. As an
203+ example, there is an option to publish SSH public key fingerprints in
204+ DNS, which then raises the issue of trusting DNS; we return to this
205+ topic in Chapter 8.
200206
201207Once the SSH-TRANS channel exists, the next step is for the user to
202208actually log into the machine, or more specifically, authenticate
0 commit comments