Same host or different? How can you tell "over the wire"?

[Rodney W. Grimes]

> 
> In message <201803220250.w2M2owMf024292 at pdx.rh.CN85.dnsmgr.net>, 
> "Rodney W. Grimes" <freebsd-rwg at pdx.rh.CN85.dnsmgr.net> wrote:
> 
> >You are not going to prove the "control of the exact same Bad Actor"
> >without a warrant to search and seize.
> 
> Well, as someone else noted, if two IP addresses yield the exact same
> SSH key, that is fairly definitive.

Wrong, as someone else pointed out that is simply a mater of
copying the /etc/ssh/*host* key files over to the other host.
This also happens when people clone machines... so is actual
more common than one might think.

You can be pretty sure they are different machines, but you
can not assertain they are the same machine with this information.
You can assert nothing about control with this information.

You can be pretty sure they are under the same control, but
not provable.  Anyone with elivated privledge access to A
can copy the /etc/ssh/* files to A'.

> If I planned to be going into a court of law, then yes, a warrant
> would be both appropriate and required.  But going into court is
> not among my goals.
> 
> >> >What you ask I believe could be done, but it non trivial and
> >> >would require a very good understanding of both forensics
> >> >and the differing ways that TCP/IP is implemented.
> >> 
> >> I like to think that I am a quick learner.  Please proceed with the
> >> lesson.
> >
> >The rates for lessons in Forensics start at reasonable enough
> >amounts, you can contact me off list if you wish to persue that.
> 
> Thanks for your support.  As i am doing what I am doing on a volunteer
> (unpaid) basis, I'm afraid that I will not be able to take you up on
> your generous offer.

-- 
Rod Grimes                                                 rgrimes at freebsd.org