On Thu, 18 Sep 2008 00:30:17 +0200, Nifty Fedora Mitch
<niftyfedora@xxxxxxxxxxxx> wrote:
On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote:
On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch
<niftyfedora@xxxxxxxxxxxx> wrote:
On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
I am using a terminalemulator Anita to login to a server, who
validates
the ssh connection with 3DES Cipher.
,,,,,
How does ssh checks keys. I am asking this because anita fails before
she
knows who is login in. So if she takes the login of windows which is
mine, she would login or check in $HOME/.ssh. And in $HOME there is no
.ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa
keys. So if I remove those keys, would that change it?
Do contact the Anita authors..... you paid for their product.
Background reading http://www.openssh.com/ AND "man ssh; man sshd".
In general for ssh:
There is a set of system key pairs on the host.
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
And a set of user key pairs on your laptop/ desktop. On linux these are
here... on Windows Anita I do not know.
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
When connecting to a host there is an initial handshake that involves
the host itself and the hosts key pair. The signatures of known
hosts are cached in the "known_hosts" file and is used to establish the
initial transport layer and establishes ongoing validation of the host.
This involves the host keys on the server and the known_hosts file on
your laptop. Anita has a known_hosts equivalent file someplace. If
the host keys change (on purpose) you need to update this cache.
Following the initial transport layer setup is the user authentication
layer. It involves the key pair (id_dsa) on your laptop. Optionally it
can involve the authorized_keys file on the server which can contain
the public half of the key pair (id_dsa.pub only the public half). It
is possible to use
password authentication over the secure channel setup in the transport
layer step if the administrator allows it. The secure link involves the
HOST keys.
$ ls -l ~/.ssh
total 52
-rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb
-rw------- 1 mitch mitch 387 2008-09-14 22:39 config
-rw------- 1 mitch mitch 744 2008-09-14 22:39 id_dsa
-rw-r--r-- 1 mitch mitch 946 2008-09-15 11:18 id_dsa.keystore
-rw------- 1 mitch mitch 615 2008-09-14 22:39 id_dsa.pub
-rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts
If the hosts key pair is compromized it needs to be regenerated.
Anyone with the pair can do stuff. If you look at /etc/init.d/sshd
on the host you should see code that checks for and if needed generates
the key pairs. I have not tried it remotly but if you remove
/etc/ssh_host_dsa*
and rerun /etc/init.d/sshd you should have a new pair. In addition
you will see rsa keys.
$ ls /etc/ssh/*rs*
/etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
These rsa keys also need to be replaced in the same way if the host has
been compromized.
There are three perhaps four key pairs that must be managed. The host
dsa and rsa key pair and personal dsa keys. If you have an rsa keypair
it may also need to be replaced. Since your keys are used for root
access
you MUST have a local lock phrase.
If you remove the keypair from the host --
# rm *key*
rm: remove regular file `ssh_host_dsa_key'? y
rm: remove regular file `ssh_host_dsa_key.pub'? y
rm: remove regular file `ssh_host_key'? y
rm: remove regular file `ssh_host_key.pub'? y
rm: remove regular file `ssh_host_rsa_key'? y
rm: remove regular file `ssh_host_rsa_key.pub'? y
With the keys missing you will see an error.
$ ssh boxtotest
ssh_exchange_identification: Connection closed by remote host
Now to rekey the server box (on the server).
# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Generating SSH1 RSA host key: [ OK ]
Generating SSH2 RSA host key: [ OK ]
Generating SSH2 DSA host key: [ OK ]
Starting sshd: [ OK ]
Now to reconnect... (I am tinkering on a single box).
$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
N.B. (Note well) the new fingerprint the "are you sure" question and
that it is
Perminently added to the list of known hosts.
SSH1 connections should be disallowed in your sshd config file.
see /etc/ssh/sshd_config as well as your personal ssh config.
Waw, this is a very exhaustive answer, and I thank you very much for this.
How will have to do some reading.
One thing is for sure, I find the known-hosts in de userdir on windows but
there are no entries added and I do not find anywhere the dsa or rsa or
whatever keys.
I removed all the keys in /etc/ssh/ and
indeed the keys were recreated.
But Anita continues this difficulty and Putty never did.
Must have to do something with this 3DES.
I don't understand how Putty can login because there aren't any entries in
known_hosts under windows which are referring to the hosts I'm logging
into. ???
Must be a Bill Gates miracle.
I thank you very much and if I find something worth writing about I will
get back to this.
--
Roland Brouwers
C.A.T. bvba
B-2660 Antwerpen
Tel: +32 3 830 3305
Mob: +32 475 443105
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines