Re: ssh2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 18 Sep 2008 00:30:17 +0200, Nifty Fedora Mitch <niftyfedora@xxxxxxxxxxxx> wrote:

On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote:
On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch
<niftyfedora@xxxxxxxxxxxx> wrote:
On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:

I am using a terminalemulator Anita to login to a server, who validates
the ssh connection with 3DES Cipher.

,,,,,

How does ssh checks keys. I am asking this because anita fails before she
knows who is login in. So if she takes the login of windows which is
mine, she would login or check in $HOME/.ssh. And in $HOME there is no
.ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa
keys. So if I remove those keys, would that change it?

Do contact the Anita authors.....  you paid for their product.

Background reading http://www.openssh.com/   AND "man ssh; man sshd".


In general for ssh:

There is a set of system key pairs on the host.
   /etc/ssh/ssh_host_dsa_key
   /etc/ssh/ssh_host_dsa_key.pub

And a set of user key pairs on your laptop/ desktop. On linux these are
here... on Windows Anita I do not know.

    ~/.ssh/id_dsa
    ~/.ssh/id_dsa.pub

When connecting to a host there is an initial handshake that involves
the host itself and the hosts key pair.  The signatures of known
hosts are cached in the "known_hosts" file and is used to establish the
initial transport layer and establishes ongoing validation of the host.
This involves the host keys on the server and the known_hosts file on
your laptop.  Anita has a known_hosts equivalent file someplace.  If
the host keys change (on purpose) you need to update this cache.

Following the initial transport layer setup is the user authentication
layer.  It involves the key pair (id_dsa) on your laptop.  Optionally it
can involve the authorized_keys file on the server which can contain
the public half of the key pair (id_dsa.pub only the public half). It is possible to use
password authentication over the  secure channel setup in the transport
layer step if the administrator allows it. The secure link involves the HOST keys.

    $ ls -l  ~/.ssh
    total 52
    -rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb
    -rw------- 1 mitch mitch  387 2008-09-14 22:39 config
    -rw------- 1 mitch mitch  744 2008-09-14 22:39 id_dsa
    -rw-r--r-- 1 mitch mitch  946 2008-09-15 11:18 id_dsa.keystore
    -rw------- 1 mitch mitch  615 2008-09-14 22:39 id_dsa.pub
    -rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts

If the hosts  key pair is compromized it needs to be regenerated.
Anyone with the pair can do stuff.   If you look at /etc/init.d/sshd
on the host you should see code that checks for and if needed generates
the key pairs. I have not tried it remotly but if you remove /etc/ssh_host_dsa*
and rerun /etc/init.d/sshd you should have a new pair.   In addition
you will see rsa keys.

    $ ls /etc/ssh/*rs*
    /etc/ssh/ssh_host_rsa_key  /etc/ssh/ssh_host_rsa_key.pub

These rsa keys also need to be replaced in the same way if the host has been compromized.

There are three perhaps four key pairs that must be  managed.  The host
dsa and rsa key pair and personal dsa keys.  If you have an rsa keypair
it may also need to be replaced. Since your keys are used for root access
you MUST have a local lock phrase.

If you remove the keypair from the host --
	# rm *key*
	rm: remove regular file `ssh_host_dsa_key'? y
	rm: remove regular file `ssh_host_dsa_key.pub'? y
	rm: remove regular file `ssh_host_key'? y
	rm: remove regular file `ssh_host_key.pub'? y
	rm: remove regular file `ssh_host_rsa_key'? y
	rm: remove regular file `ssh_host_rsa_key.pub'? y
With the keys missing you will see an error.
	$ ssh boxtotest
	ssh_exchange_identification: Connection closed by remote host

Now to rekey the server box (on the server).
	# /etc/init.d/sshd restart
	Stopping sshd:                                             [  OK  ]
	Generating SSH1 RSA host key:                              [  OK  ]
	Generating SSH2 RSA host key:                              [  OK  ]
	Generating SSH2 DSA host key:                              [  OK  ]
	Starting sshd:                                             [  OK  ]

Now to reconnect... (I am tinkering on a single box).
	$ ssh localhost
	The authenticity of host 'localhost (127.0.0.1)' can't be established.
	RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67.
	Are you sure you want to continue connecting (yes/no)? yes
	Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

N.B. (Note well) the new fingerprint the "are you sure" question and that it is
     Perminently added to the list of known hosts.

SSH1 connections should be disallowed in your sshd config file.
see /etc/ssh/sshd_config as well as your personal ssh config.


Waw, this is a very exhaustive answer, and I thank you very much for this.

How will have to do some reading.
One thing is for sure, I find the known-hosts in de userdir on windows but there are no entries added and I do not find anywhere the dsa or rsa or whatever keys.

I removed all the keys in /etc/ssh/ and
indeed the keys were recreated.

But Anita continues this difficulty and Putty never did.
Must have to do something with this 3DES.

I don't understand how Putty can login because there aren't any entries in known_hosts under windows which are referring to the hosts I'm logging into. ???

Must be a Bill Gates miracle.

I thank you very much and if I find something worth writing about I will get back to this.

--
Roland Brouwers
C.A.T. bvba
B-2660 Antwerpen
Tel: +32 3 830 3305
Mob: +32 475 443105

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux