ssh2
roland
roland at cat.be
Thu Sep 18 11:45:14 UTC 2008
On Thu, 18 Sep 2008 00:30:17 +0200, Nifty Fedora Mitch
<niftyfedora at niftyegg.com> wrote:
> On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote:
>> On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch
>> <niftyfedora at niftyegg.com> wrote:
>>> On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
>>>>
>>>> I am using a terminalemulator Anita to login to a server, who
>>>> validates
>>>> the ssh connection with 3DES Cipher.
>>>>
> ,,,,,
>
>> How does ssh checks keys. I am asking this because anita fails before
>> she
>> knows who is login in. So if she takes the login of windows which is
>> mine, she would login or check in $HOME/.ssh. And in $HOME there is no
>> .ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa
>> keys. So if I remove those keys, would that change it?
>
> Do contact the Anita authors..... you paid for their product.
>
> Background reading http://www.openssh.com/ AND "man ssh; man sshd".
>
>
> In general for ssh:
>
> There is a set of system key pairs on the host.
> /etc/ssh/ssh_host_dsa_key
> /etc/ssh/ssh_host_dsa_key.pub
>
> And a set of user key pairs on your laptop/ desktop. On linux these are
> here... on Windows Anita I do not know.
>
> ~/.ssh/id_dsa
> ~/.ssh/id_dsa.pub
>
> When connecting to a host there is an initial handshake that involves
> the host itself and the hosts key pair. The signatures of known
> hosts are cached in the "known_hosts" file and is used to establish the
> initial transport layer and establishes ongoing validation of the host.
> This involves the host keys on the server and the known_hosts file on
> your laptop. Anita has a known_hosts equivalent file someplace. If
> the host keys change (on purpose) you need to update this cache.
>
> Following the initial transport layer setup is the user authentication
> layer. It involves the key pair (id_dsa) on your laptop. Optionally it
> can involve the authorized_keys file on the server which can contain
> the public half of the key pair (id_dsa.pub only the public half). It
> is possible to use
> password authentication over the secure channel setup in the transport
> layer step if the administrator allows it. The secure link involves the
> HOST keys.
>
> $ ls -l ~/.ssh
> total 52
> -rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb
> -rw------- 1 mitch mitch 387 2008-09-14 22:39 config
> -rw------- 1 mitch mitch 744 2008-09-14 22:39 id_dsa
> -rw-r--r-- 1 mitch mitch 946 2008-09-15 11:18 id_dsa.keystore
> -rw------- 1 mitch mitch 615 2008-09-14 22:39 id_dsa.pub
> -rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts
>
> If the hosts key pair is compromized it needs to be regenerated.
> Anyone with the pair can do stuff. If you look at /etc/init.d/sshd
> on the host you should see code that checks for and if needed generates
> the key pairs. I have not tried it remotly but if you remove
> /etc/ssh_host_dsa*
> and rerun /etc/init.d/sshd you should have a new pair. In addition
> you will see rsa keys.
>
> $ ls /etc/ssh/*rs*
> /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
>
> These rsa keys also need to be replaced in the same way if the host has
> been compromized.
>
> There are three perhaps four key pairs that must be managed. The host
> dsa and rsa key pair and personal dsa keys. If you have an rsa keypair
> it may also need to be replaced. Since your keys are used for root
> access
> you MUST have a local lock phrase.
>
> If you remove the keypair from the host --
> # rm *key*
> rm: remove regular file `ssh_host_dsa_key'? y
> rm: remove regular file `ssh_host_dsa_key.pub'? y
> rm: remove regular file `ssh_host_key'? y
> rm: remove regular file `ssh_host_key.pub'? y
> rm: remove regular file `ssh_host_rsa_key'? y
> rm: remove regular file `ssh_host_rsa_key.pub'? y
> With the keys missing you will see an error.
> $ ssh boxtotest
> ssh_exchange_identification: Connection closed by remote host
>
> Now to rekey the server box (on the server).
> # /etc/init.d/sshd restart
> Stopping sshd: [ OK ]
> Generating SSH1 RSA host key: [ OK ]
> Generating SSH2 RSA host key: [ OK ]
> Generating SSH2 DSA host key: [ OK ]
> Starting sshd: [ OK ]
>
> Now to reconnect... (I am tinkering on a single box).
> $ ssh localhost
> The authenticity of host 'localhost (127.0.0.1)' can't be established.
> RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
>
> N.B. (Note well) the new fingerprint the "are you sure" question and
> that it is
> Perminently added to the list of known hosts.
>
> SSH1 connections should be disallowed in your sshd config file.
> see /etc/ssh/sshd_config as well as your personal ssh config.
>
>
Waw, this is a very exhaustive answer, and I thank you very much for this.
How will have to do some reading.
One thing is for sure, I find the known-hosts in de userdir on windows but
there are no entries added and I do not find anywhere the dsa or rsa or
whatever keys.
I removed all the keys in /etc/ssh/ and
indeed the keys were recreated.
But Anita continues this difficulty and Putty never did.
Must have to do something with this 3DES.
I don't understand how Putty can login because there aren't any entries in
known_hosts under windows which are referring to the hosts I'm logging
into. ???
Must be a Bill Gates miracle.
I thank you very much and if I find something worth writing about I will
get back to this.
--
Roland Brouwers
C.A.T. bvba
B-2660 Antwerpen
Tel: +32 3 830 3305
Mob: +32 475 443105
More information about the fedora-list
mailing list