On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote: > On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch > <niftyfedora@xxxxxxxxxxxx> wrote: >> On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote: >>> >>> I am using a terminalemulator Anita to login to a server, who validates >>> the ssh connection with 3DES Cipher. >>> ,,,,, > How does ssh checks keys. I am asking this because anita fails before she > knows who is login in. So if she takes the login of windows which is > mine, she would login or check in $HOME/.ssh. And in $HOME there is no > .ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa > keys. So if I remove those keys, would that change it? Do contact the Anita authors..... you paid for their product. Background reading http://www.openssh.com/ AND "man ssh; man sshd". In general for ssh: There is a set of system key pairs on the host. /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub And a set of user key pairs on your laptop/ desktop. On linux these are here... on Windows Anita I do not know. ~/.ssh/id_dsa ~/.ssh/id_dsa.pub When connecting to a host there is an initial handshake that involves the host itself and the hosts key pair. The signatures of known hosts are cached in the "known_hosts" file and is used to establish the initial transport layer and establishes ongoing validation of the host. This involves the host keys on the server and the known_hosts file on your laptop. Anita has a known_hosts equivalent file someplace. If the host keys change (on purpose) you need to update this cache. Following the initial transport layer setup is the user authentication layer. It involves the key pair (id_dsa) on your laptop. Optionally it can involve the authorized_keys file on the server which can contain the public half of the key pair (id_dsa.pub only the public half). It is possible to use password authentication over the secure channel setup in the transport layer step if the administrator allows it. The secure link involves the HOST keys. $ ls -l ~/.ssh total 52 -rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb -rw------- 1 mitch mitch 387 2008-09-14 22:39 config -rw------- 1 mitch mitch 744 2008-09-14 22:39 id_dsa -rw-r--r-- 1 mitch mitch 946 2008-09-15 11:18 id_dsa.keystore -rw------- 1 mitch mitch 615 2008-09-14 22:39 id_dsa.pub -rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts If the hosts key pair is compromized it needs to be regenerated. Anyone with the pair can do stuff. If you look at /etc/init.d/sshd on the host you should see code that checks for and if needed generates the key pairs. I have not tried it remotly but if you remove /etc/ssh_host_dsa* and rerun /etc/init.d/sshd you should have a new pair. In addition you will see rsa keys. $ ls /etc/ssh/*rs* /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub These rsa keys also need to be replaced in the same way if the host has been compromized. There are three perhaps four key pairs that must be managed. The host dsa and rsa key pair and personal dsa keys. If you have an rsa keypair it may also need to be replaced. Since your keys are used for root access you MUST have a local lock phrase. If you remove the keypair from the host -- # rm *key* rm: remove regular file `ssh_host_dsa_key'? y rm: remove regular file `ssh_host_dsa_key.pub'? y rm: remove regular file `ssh_host_key'? y rm: remove regular file `ssh_host_key.pub'? y rm: remove regular file `ssh_host_rsa_key'? y rm: remove regular file `ssh_host_rsa_key.pub'? y With the keys missing you will see an error. $ ssh boxtotest ssh_exchange_identification: Connection closed by remote host Now to rekey the server box (on the server). # /etc/init.d/sshd restart Stopping sshd: [ OK ] Generating SSH1 RSA host key: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd: [ OK ] Now to reconnect... (I am tinkering on a single box). $ ssh localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. N.B. (Note well) the new fingerprint the "are you sure" question and that it is Perminently added to the list of known hosts. SSH1 connections should be disallowed in your sshd config file. see /etc/ssh/sshd_config as well as your personal ssh config. -- T o m M i t c h e l l Found me a new hat, now what? -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
