-Everyone who has used secure shell is familiar with the prompt given the first
-time you login, asking if you want to trust the server's fingerprint. In
-addition, many of us take advantage of OpenSSH's ability to use RSA or DSA keys
-for authenticating to a server, rather than relying on a password exchange.
-
-[OpenSSH](http://openssh.com/) already provides a functional way for managing
-the RSA and DSA keys required for these interactions. However, it lacks any
+Everyone who has used secure shell is familiar with the prompt given
+the first time you log in to a new server, asking if you want to trust
+the server's key by verifying the key fingerprint. Unfortunately,
+unless you have access to the server's key fingerprint through a
+secure out-of-band channel, there is no way to verify that the
+fingerprint you are presented with is in fact that of the server your
+really trying to connect to.
+
+Many users also take advantage of OpenSSH's ability to use RSA or DSA
+keys for authenticating to a server (known as
+"`PubkeyAuthentication`"), rather than relying on a password exchange.
+But again, the public part of the key needs to be transmitted to the
+server through a secure out-of-band channel (usually via a separate
+password-based SSH connection or a (hopefully signed) e-mail to the
+system administrator) in order for this type of authentication to
+work.
+
+[OpenSSH](http://openssh.com/) currently provides a functional way to
+manage the RSA and DSA keys required for these interactions through
+the `known_hosts` and `authorized_keys` files. However, it lacks any