ssh2

Nifty Fedora Mitch niftyfedora at niftyegg.com
Wed Sep 17 22:30:17 UTC 2008 

On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote:
> On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch  
> <niftyfedora at niftyegg.com> wrote:
>> On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
>>>
>>> I am using a terminalemulator Anita to login to a server, who validates
>>> the ssh connection with 3DES Cipher.
>>>
,,,,,

> How does ssh checks keys. I am asking this because anita fails before she 
> knows who is login in. So if she takes the login of windows which is 
> mine, she would login or check in $HOME/.ssh. And in $HOME there is no 
> .ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa 
> keys. So if I remove those keys, would that change it?

Do contact the Anita authors.....  you paid for their product.

Background reading http://www.openssh.com/   AND "man ssh; man sshd".


In general for ssh:

There is a set of system key pairs on the host.
   /etc/ssh/ssh_host_dsa_key
   /etc/ssh/ssh_host_dsa_key.pub

And a set of user key pairs on your laptop/ desktop. On linux these are
here... on Windows Anita I do not know.

    ~/.ssh/id_dsa
    ~/.ssh/id_dsa.pub

When connecting to a host there is an initial handshake that involves
the host itself and the hosts key pair.  The signatures of known
hosts are cached in the "known_hosts" file and is used to establish the
initial transport layer and establishes ongoing validation of the host.
This involves the host keys on the server and the known_hosts file on
your laptop.  Anita has a known_hosts equivalent file someplace.  If 
the host keys change (on purpose) you need to update this cache.

Following the initial transport layer setup is the user authentication
layer.  It involves the key pair (id_dsa) on your laptop.  Optionally it
can involve the authorized_keys file on the server which can contain
the public half of the key pair (id_dsa.pub only the public half).  It is possible to use
password authentication over the  secure channel setup in the transport
layer step if the administrator allows it.  The secure link involves the HOST keys.

    $ ls -l  ~/.ssh
    total 52
    -rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb
    -rw------- 1 mitch mitch  387 2008-09-14 22:39 config
    -rw------- 1 mitch mitch  744 2008-09-14 22:39 id_dsa
    -rw-r--r-- 1 mitch mitch  946 2008-09-15 11:18 id_dsa.keystore
    -rw------- 1 mitch mitch  615 2008-09-14 22:39 id_dsa.pub
    -rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts

If the hosts  key pair is compromized it needs to be regenerated.
Anyone with the pair can do stuff.   If you look at /etc/init.d/sshd
on the host you should see code that checks for and if needed generates
the key pairs.  I have not tried it remotly but if you remove /etc/ssh_host_dsa*
and rerun /etc/init.d/sshd you should have a new pair.   In addition
you will see rsa keys.

    $ ls /etc/ssh/*rs*
    /etc/ssh/ssh_host_rsa_key  /etc/ssh/ssh_host_rsa_key.pub

These rsa keys also need to be replaced in the same way if the host has been compromized.

There are three perhaps four key pairs that must be  managed.  The host
dsa and rsa key pair and personal dsa keys.  If you have an rsa keypair
it may also need to be replaced.   Since your keys are used for root access
you MUST have a local lock phrase.

If you remove the keypair from the host --
	# rm *key*
	rm: remove regular file `ssh_host_dsa_key'? y
	rm: remove regular file `ssh_host_dsa_key.pub'? y
	rm: remove regular file `ssh_host_key'? y
	rm: remove regular file `ssh_host_key.pub'? y
	rm: remove regular file `ssh_host_rsa_key'? y
	rm: remove regular file `ssh_host_rsa_key.pub'? y
 
With the keys missing you will see an error.
	$ ssh boxtotest
	ssh_exchange_identification: Connection closed by remote host

Now to rekey the server box (on the server).
	# /etc/init.d/sshd restart
	Stopping sshd:                                             [  OK  ]
	Generating SSH1 RSA host key:                              [  OK  ]
	Generating SSH2 RSA host key:                              [  OK  ]
	Generating SSH2 DSA host key:                              [  OK  ]
	Starting sshd:                                             [  OK  ]

Now to reconnect... (I am tinkering on a single box).
	$ ssh localhost
	The authenticity of host 'localhost (127.0.0.1)' can't be established.
	RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67.
	Are you sure you want to continue connecting (yes/no)? yes
	Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

N.B. (Note well) the new fingerprint the "are you sure" question and that it is 
     Perminently added to the list of known hosts.

SSH1 connections should be disallowed in your sshd config file.
see /etc/ssh/sshd_config as well as your personal ssh config.


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?

More information about the fedora-list mailing list