sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Tim Woodall on 15 Jan 2006 08:59 On Sun, 15 Jan 2006 13:52:23 +0000 (UTC), Tim Woodall <devnull(a)woodall.me.uk> wrote: > > I'll agree that the manpages are unclear but this doesn't appear to be > the case. - I've just touched ssh_known_hosts and I can still ssh in > fine. > > You can change the line > #AuthorizedKeysFile %h/.ssh/authorized_keys > in sshd_config so that there is one system wide keys file if you prefer. > Or you could have something like > /etc/ssh/%u/authorized_keys > that could then be maintained by root. > > See man sshd_config > Infact it works even with the _wrong_ key in /etc/ssh/ssh_known_hosts tim(a)feynman:~$ ssh localhost @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 48:ba:0a:03:66:59:3e:4f:0b:8e:5f:4c:91:6a:33:db. Please contact your system administrator. Add correct host key in /home/tim/.ssh/known_hosts to get rid of this message. Offending key in /etc/ssh/ssh_known_hosts:2 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Linux feynman.home.woodall.me.uk 2.4.27-2-686 #1 Wed Aug 17 10:34:09 UTC 2005 i686 GNU/Linux No mail. Last login: Sun Jan 15 13:57:32 2006 from localhost Tim. -- God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," and there was light. http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/
From: Martin Gregorie on 15 Jan 2006 09:10 alexd wrote: > Welcome to Usenet :-D > Yeah, I know. I was a little irked by replies that looked to me as if the poster hadn't fully understood what I'm trying to do. > Yes. I use it to get into my machine at home from work. Also we use it at > $ork to get into machines at the data centre. Here's a few things I found > useful: > Very useful pointers. I've used PuTTY for donkey's yonks but never tried to use it with public key access. Its quite simply the best 'doze ssh or telnet client I know. > To be honest I don't think there is anything else that one would want to use > over the internet. SSH and VNC [with the requisite security] are the > de-facto standards for remote access - even commercially available remote > KVM switches use VNC, and I've been looking at a remote power management > unit for said data centre that one can SSH into to power cycle kit etc. > I thought that ssh / sftp / scp were probably where it was at but wanted to make sure that, say, a VPN approach wasn't better. I use ssh within my LAN but know next to nothing about the ins and outs of secure Internet communications. Thanks for your help. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 15 Jan 2006 09:24 Tony van der Hoff wrote: > I use port 22; that's what it's for. I do see the occasional dictionary > attacks, which come to nowt due to my using strong account paswords, but > just to give me the pleasure of banning the bastards, I have a script which > parses the log file to collect multiple failed login attempts, and adds the > ip to /etc/hosts.deny for sshd. This has harvested 105 entries so far, with > a new one being added almost daily :) > That's a nice approach and fully I understand why you use it that way round. It should work for me too, but in reverse: - make sure the application order is hosts.deny before hosts.allow - set hosts.deny to block everybody - put only my local machines and the select few externals in hosts.allow - and, for a paranoia special, add the same list of permitted hosts into /etc/ssh/ssh_known_hosts Looks like I'd better do a bit of playing round. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 15 Jan 2006 09:33 Tim Woodall wrote: > Infact it works even with the _wrong_ key in /etc/ssh/ssh_known_hosts > Thanks for that. I think this explains why, having muttered about ssh_known_hosts, the manpage also witters on about the hosts.* files. My original concern was how to safely collect public keys from remote hosts for inclusion in ssh_known_hosts, but this flags up other issues that I need to find out about. Best I start to play with it, I think, to see if the combination of hosts.(allow|deny) and ( /etc/ssh/shosts.equiv and/or ssh_known_hosts ) can restrict access to an arbitrary set of hosts. I'll report back. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Tim Woodall on 15 Jan 2006 11:13
On Sun, 15 Jan 2006 14:33:22 +0000, Martin Gregorie <martin(a)see.sig.for.address> wrote: > Tim Woodall wrote: >> Infact it works even with the _wrong_ key in /etc/ssh/ssh_known_hosts >> > Thanks for that. I think this explains why, having muttered about > ssh_known_hosts, the manpage also witters on about the hosts.* files. > > My original concern was how to safely collect public keys from remote > hosts for inclusion in ssh_known_hosts, but this flags up other issues > that I need to find out about. > > Best I start to play with it, I think, to see if the combination of > hosts.(allow|deny) and ( /etc/ssh/shosts.equiv and/or ssh_known_hosts ) > can restrict access to an arbitrary set of hosts. > > I'll report back. > > If you don't allow password authentication then you can just use authorized_keys. I just use authorized_keys plus firewall rules. I think on Debian Sarge, all you need to add to sshd_config is ChallengeResponseAuthentication no to disable password logins. You also need: PasswordAuthentication no But I think this is default on Debian. Shouldn't be very different on any other distribution. Tim. -- God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," and there was light. http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/ |