ssh2

[roland]

On Thu, 18 Sep 2008 00:30:17 +0200, Nifty Fedora Mitch  
<niftyfedora at niftyegg.com> wrote:

> On Wed, Sep 17, 2008 at 08:49:43AM +0200, roland wrote:
>> On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch
>> <niftyfedora at niftyegg.com> wrote:
>>> On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
>>>>
>>>> I am using a terminalemulator Anita to login to a server, who  
>>>> validates
>>>> the ssh connection with 3DES Cipher.
>>>>
> ,,,,,
>
>> How does ssh checks keys. I am asking this because anita fails before  
>> she
>> knows who is login in. So if she takes the login of windows which is
>> mine, she would login or check in $HOME/.ssh. And in $HOME there is no
>> .ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa
>> keys. So if I remove those keys, would that change it?
>
> Do contact the Anita authors.....  you paid for their product.
>
> Background reading http://www.openssh.com/   AND "man ssh; man sshd".
>
>
> In general for ssh:
>
> There is a set of system key pairs on the host.
>    /etc/ssh/ssh_host_dsa_key
>    /etc/ssh/ssh_host_dsa_key.pub
>
> And a set of user key pairs on your laptop/ desktop. On linux these are
> here... on Windows Anita I do not know.
>
>     ~/.ssh/id_dsa
>     ~/.ssh/id_dsa.pub
>
> When connecting to a host there is an initial handshake that involves
> the host itself and the hosts key pair.  The signatures of known
> hosts are cached in the "known_hosts" file and is used to establish the
> initial transport layer and establishes ongoing validation of the host.
> This involves the host keys on the server and the known_hosts file on
> your laptop.  Anita has a known_hosts equivalent file someplace.  If
> the host keys change (on purpose) you need to update this cache.
>
> Following the initial transport layer setup is the user authentication
> layer.  It involves the key pair (id_dsa) on your laptop.  Optionally it
> can involve the authorized_keys file on the server which can contain
> the public half of the key pair (id_dsa.pub only the public half).  It  
> is possible to use
> password authentication over the  secure channel setup in the transport
> layer step if the administrator allows it.  The secure link involves the  
> HOST keys.
>
>     $ ls -l  ~/.ssh
>     total 52
>     -rw------- 1 mitch mitch 8115 2008-09-14 22:39 authorized_keysb
>     -rw------- 1 mitch mitch  387 2008-09-14 22:39 config
>     -rw------- 1 mitch mitch  744 2008-09-14 22:39 id_dsa
>     -rw-r--r-- 1 mitch mitch  946 2008-09-15 11:18 id_dsa.keystore
>     -rw------- 1 mitch mitch  615 2008-09-14 22:39 id_dsa.pub
>     -rw-r--r-- 1 mitch mitch 8758 2008-09-15 14:09 known_hosts
>
> If the hosts  key pair is compromized it needs to be regenerated.
> Anyone with the pair can do stuff.   If you look at /etc/init.d/sshd
> on the host you should see code that checks for and if needed generates
> the key pairs.  I have not tried it remotly but if you remove  
> /etc/ssh_host_dsa*
> and rerun /etc/init.d/sshd you should have a new pair.   In addition
> you will see rsa keys.
>
>     $ ls /etc/ssh/*rs*
>     /etc/ssh/ssh_host_rsa_key  /etc/ssh/ssh_host_rsa_key.pub
>
> These rsa keys also need to be replaced in the same way if the host has  
> been compromized.
>
> There are three perhaps four key pairs that must be  managed.  The host
> dsa and rsa key pair and personal dsa keys.  If you have an rsa keypair
> it may also need to be replaced.   Since your keys are used for root  
> access
> you MUST have a local lock phrase.
>
> If you remove the keypair from the host --
> 	# rm *key*
> 	rm: remove regular file `ssh_host_dsa_key'? y
> 	rm: remove regular file `ssh_host_dsa_key.pub'? y
> 	rm: remove regular file `ssh_host_key'? y
> 	rm: remove regular file `ssh_host_key.pub'? y
> 	rm: remove regular file `ssh_host_rsa_key'? y
> 	rm: remove regular file `ssh_host_rsa_key.pub'? y
> With the keys missing you will see an error.
> 	$ ssh boxtotest
> 	ssh_exchange_identification: Connection closed by remote host
>
> Now to rekey the server box (on the server).
> 	# /etc/init.d/sshd restart
> 	Stopping sshd:                                             [  OK  ]
> 	Generating SSH1 RSA host key:                              [  OK  ]
> 	Generating SSH2 RSA host key:                              [  OK  ]
> 	Generating SSH2 DSA host key:                              [  OK  ]
> 	Starting sshd:                                             [  OK  ]
>
> Now to reconnect... (I am tinkering on a single box).
> 	$ ssh localhost
> 	The authenticity of host 'localhost (127.0.0.1)' can't be established.
> 	RSA key fingerprint is f7:53:8a:b7:a1:82:97:26:76:21:bd:74:85:d1:4e:67.
> 	Are you sure you want to continue connecting (yes/no)? yes
> 	Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
>
> N.B. (Note well) the new fingerprint the "are you sure" question and  
> that it is
>      Perminently added to the list of known hosts.
>
> SSH1 connections should be disallowed in your sshd config file.
> see /etc/ssh/sshd_config as well as your personal ssh config.
>
>
Waw, this is a very exhaustive answer, and I thank you very much for this.

How will have to do some reading.
One thing is for sure, I find the known-hosts in de userdir on windows but  
there are no entries added and I do not find anywhere the dsa or rsa or  
whatever keys.

I removed all the keys in /etc/ssh/ and
indeed the keys were recreated.

But Anita continues this difficulty and Putty never did.
Must have to do something with this 3DES.

I don't understand how Putty can login because there aren't any entries in  
known_hosts under windows which are referring to the hosts I'm logging  
into. ???

Must be a Bill Gates miracle.

I thank you very much and if I find something worth writing about I will  
get back to this.

-- 
Roland Brouwers
C.A.T. bvba
B-2660 Antwerpen
Tel: +32 3 830 3305
Mob: +32 475 443105