LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-25-2016, 10:48 AM   #1
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Rep: Reputation: Disabled
Questions about SSH


When I log into a server (that I own) for the first time using SSH, Terminal says the server can not be verified and it displays a fingerprint.

Where does the "fingerprint" that is displayed in Terminal come from?

From my laptop or from the server?
 
Old 02-25-2016, 10:54 AM   #2
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 847
Blog Entries: 1

Rep: Reputation: 140Reputation: 140
That is from the server.
 
Old 02-25-2016, 10:54 AM   #3
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 8,655

Rep: Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501Reputation: 2501
if I understood it well: fingerprint comes from the server and stored on the client. That way ssh can inform you if you ssh to the same server name but that was replaced in the meantime.
see ~/.ssh/known_hosts
 
Old 02-25-2016, 11:01 AM   #4
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 497

Rep: Reputation: 188Reputation: 188
Hi again,

As mentioned in your other question, this is the MD5 hash of the server's public key.

The server keys are usually in /etc/ssh/ssh_host_{dsa,rsa}. You can obtain the fingerprint by running:

Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
# and
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
Which of these keys get used, and thus which fingerprint you get presented with, is determined by a negotiation between the client and server, depending on a number of configuration settings on both ends.
 
Old 02-25-2016, 11:19 AM   #5
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
The reason for this is to protect against man-in-the-middle attacks. The first time you connect to a server it stores its key. If an imposter machine comes in, takes over the IP of the remote server (or hijacks the DNS to point the domain to a new location), and starts up a fake SSH server process in order to steal your username and password, as soon as you try to connect to it you'll be notified that this is not the same server you connected to before.
 
1 members found this post helpful.
Old 02-25-2016, 12:42 PM   #6
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cliffordw View Post
Hi again,

As mentioned in your other question, this is the MD5 hash of the server's public key.

The server keys are usually in /etc/ssh/ssh_host_{dsa,rsa}. You can obtain the fingerprint by running:

Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
# and
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
Which of these keys get used, and thus which fingerprint you get presented with, is determined by a negotiation between the client and server, depending on a number of configuration settings on both ends.
I responded to you in my other thread and my question - repeated here - was this...

If the fingerprint is created by using the public key on my server, which public key are we talking about?

Is this the public key that was generated on my laptop and then uploaded onto my server?

Or is this possibly a public key that was generated on the server by my web host?

Follow me?
 
Old 02-25-2016, 12:49 PM   #7
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
The reason for this is to protect against man-in-the-middle attacks. The first time you connect to a server it stores its key. If an imposter machine comes in, takes over the IP of the remote server (or hijacks the DNS to point the domain to a new location), and starts up a fake SSH server process in order to steal your username and password, as soon as you try to connect to it you'll be notified that this is not the same server you connected to before.
Not to jump too far ahead, but...

I have another VPS with the same host. This is how I recall things working when I set that one up...
- I ran this on my laptop: ssh-keygen -t rsa -b 2048
- I uploaded the public key from the above command to my VPS
- I authorized the public key.
- I went into Terminal and typed: ssh cpaneluser@myserveripaddress -p 22
- I got a message saying it couldn't verify the authenticity of the server at myserveripaddress
- There was also a fingerprint displayed - presumably from my server
- The problem is that when I went to compare this fingerprint displayed in Terminal during initial ssh login against the fingerprint my web host cliamed was my server, they did not match!!

The web host could not explain why, and I was ultimately told, "You just have to blindly say 'yes' to that first message, so your laptop can connect to the VPS and then the VPS will send your public key (?) back to it and store it in the "known_hosts" file.

I think my web host was wrong, and I should have been able to have matching fingerprints the first time I tried to log in!!

What do you say about this?
 
Old 02-25-2016, 12:52 PM   #8
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
Quote:
Originally Posted by RobInRockCity View Post
I responded to you in my other thread and my question - repeated here - was this...

If the fingerprint is created by using the public key on my server, which public key are we talking about?

Is this the public key that was generated on my laptop and then uploaded onto my server?

Or is this possibly a public key that was generated on the server by my web host?

Follow me?
Your laptop has nothing to do with it. You can connect to that server from 10 different client machines, and all 10 client machines will be shown and forced to accept the same key. The key you're talking about here is generated when sshd is first installed on the server I believe.
 
Old 02-25-2016, 12:55 PM   #9
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
Quote:
Originally Posted by RobInRockCity View Post
Not to jump too far ahead, but...

I have another VPS with the same host. This is how I recall things working when I set that one up...
- I ran this on my laptop: ssh-keygen -t rsa -b 2048
- I uploaded the public key from the above command to my VPS
- I authorized the public key.
All of that is irrelevant to the topic at hand

Quote:
Originally Posted by RobInRockCity View Post
- I went into Terminal and typed: ssh cpaneluser@myserveripaddress -p 22
- I got a message saying it couldn't verify the authenticity of the server at myserveripaddress
- There was also a fingerprint displayed - presumably from my server
- The problem is that when I went to compare this fingerprint displayed in Terminal during initial ssh login against the fingerprint my web host cliamed was my server, they did not match!!
We need more information to answer that. What did the keys look like? Was the syntax similar? We have no idea what kind of fingerprint your web host gave you.

FYI - when you connect to a server for the first time and accept the key, it gets placed in ~/.ssh/known_hosts on your local machine. You can open up that file and find the key for your server, and compare that to what you were told it should be by the web host (assuming that's the key the web host gave you).

Last edited by suicidaleggroll; 02-25-2016 at 12:57 PM.
 
Old 02-25-2016, 04:08 PM   #10
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
All of that is irrelevant to the topic at hand

We need more information to answer that. What did the keys look like? Was the syntax similar? We have no idea what kind of fingerprint your web host gave you.

FYI - when you connect to a server for the first time and accept the key, it gets placed in ~/.ssh/known_hosts on your local machine. You can open up that file and find the key for your server, and compare that to what you were told it should be by the web host (assuming that's the key the web host gave you).
The fingerprint in Terminal and the fingerprint they emailed me looked like this:
8d:32:0E:9A:......

My web host was insistent that the fingerprint on my VPS was ___A____, but then why didn't I see that in terminal?

Why would the fingerprint I saw in Terminal NOT match the fingerprint my web host emailed me not match, when I am 99.9% sure that I did connect to my VPS when I had to break down and blindly type "yes" and hit <enter> even though the fingerprints did not match?
 
Old 02-25-2016, 04:13 PM   #11
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
Your laptop has nothing to do with it. You can connect to that server from 10 different client machines, and all 10 client machines will be shown and forced to accept the same key. The key you're talking about here is generated when sshd is first installed on the server I believe.
So the fingerprint that SSH sends back to me in Terminal on my laptop was coming from my VPS, right?

Then what other fingerprint would level-2 tech support be finding for me and emailing me?

The idea is that you call your web host n advance, they get YOUR vps's fingerprint, then you log in for the first time using SSH in Terminal, it fetches that SAME fingerprint from your vps, you verify that they match, and you type "yes" to sign on. THEN, the server passes the ____i forget which one____ back to your computer and writes it into the "known_hosts" file, so in the uture when you log in, you don't have to get that same prompt asking if the fingerprint is legitimate, right?

This all boils down to either something is broken and that is why the fingerprints don't match, OR my web host is an idiot and can't get the the CORRECT fingerprint to compare to what SSH is showing me in Terminal.

That is how I see this annoying issue...

Thoughts?
 
Old 02-25-2016, 04:54 PM   #12
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,396

Rep: Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017Reputation: 2017
Maybe he gave you the rsa key, and due to your ssh settings you authenticated over dsa?

It doesn't have to be complicated, if you're concerned, just LOOK. On your local machine, open up ~/.ssh/known_hosts, find the system you're referring to here. The beginning will look something like:
Code:
name-of-host ssh-rsa slihdlijaflafjlsdfljasf...
Pay attention to that ssh-rsa part, if it says ssh-rsa, then it's rsa, if it says ssh-dsa, then it's dsa. It might not be either of those, it could be ecdsa, or ed25519, or whatever, just identify it.

Now log into your server, go to /etc/ssh, and open the applicable public key file, either ssh_host_dsa_key.pub or ssh_host_rsa_key.pub, or ssh_host_ed25519_key.pub, or whatever. It should match what's in your known hosts file. Now look at what the provider told you, maybe they gave you one of the other ones.

Last edited by suicidaleggroll; 02-25-2016 at 04:56 PM.
 
Old 02-25-2016, 05:26 PM   #13
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
Maybe he gave you the rsa key, and due to your ssh settings you authenticated over dsa?
No.


Quote:
Originally Posted by suicidaleggroll View Post
It doesn't have to be complicated, if you're concerned, just LOOK. On your local machine, open up ~/.ssh/known_hosts, find the system you're referring to here. The beginning will look something like:
Code:
name-of-host ssh-rsa slihdlijaflafjlsdfljasf...
Pay attention to that ssh-rsa part, if it says ssh-rsa, then it's rsa, if it says ssh-dsa, then it's dsa. It might not be either of those, it could be ecdsa, or ed25519, or whatever, just identify it.
In the known_hosts file I see...
111.222.3333.44 ssh-rsa AAAAB2MzbS7yp2E...


Quote:
Originally Posted by suicidaleggroll View Post
Now log into your server, go to /etc/ssh, and open the applicable public key file, either ssh_host_dsa_key.pub or ssh_host_rsa_key.pub, or ssh_host_ed25519_key.pub, or whatever. It should match what's in your known hosts file. Now look at what the provider told you, maybe they gave you one of the other ones.
I don't have root access, so I don't believe I can do this step.


This past weekend, the web host supposedly ran this...
# ssh-keygen -lf .ssh/id_rsa.pub

As far as I know, that is creating a public/private key pair on the server. What in the hell does that have to do with the public key I created on my laptop and then installed on my VPS??????


Apparently that command generated this...
2048 06:ef:47:d7:d5:14... .ssh/id_rsa.pub (RSA)

This is where I believe the problem is...

I created a public/private key pair on my LAPTOP and then I installed the PUBLIC KEY onto my VPS. So when I asked the web host for my fingerprint, I wanted the fingerprint created from the public key THAT I CREATED ON MY LAPTOP.

Based on the command they supposedly ran above, I'd say they overwrote MY public key with a new one.

Follow me?

(I think all of this being difficult falls onto my web host...)
 
Old 02-26-2016, 01:41 AM   #14
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 497

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by RobInRockCity View Post
I don't have root access, so I don't believe I can do this step.
You can see the server's key as a non-root user by running
Code:
ssh-keyscan localhost > /tmp/x && ssh-keygen -lf /tmp/x && rm /tmp/x
Quote:
Originally Posted by RobInRockCity View Post
This past weekend, the web host supposedly ran this...
# ssh-keygen -lf .ssh/id_rsa.pub

As far as I know, that is creating a public/private key pair on the server. What in the hell does that have to do with the public key I created on my laptop and then installed on my VPS??????

Apparently that command generated this...
2048 06:ef:47:d7:d5:14... .ssh/id_rsa.pub (RSA)
There is a server key, used by sshd to identify the server. Separate from that individual users can have user keys, which allows them to authenticate without passwords.
The command above created a key pair for your user on the server. This is not the same thing as the server's host key. This key would only be of any use if you want to connect from the server to somewhere else, and plays no role at all in the connection from your laptop to the server.

Quote:
Originally Posted by RobInRockCity View Post
I created a public/private key pair on my LAPTOP and then I installed the PUBLIC KEY onto my VPS. So when I asked the web host for my fingerprint, I wanted the fingerprint created from the public key THAT I CREATED ON MY LAPTOP.
This is where the confusion lies, yes. You're still off the mark, though ;-) The fingerprint you get asked to confirm is the HOST key, not the USER key.

You would not need their help to get the fingerprint for the key you generated anyway; simply run "ssh-keygen -lf ~/.ssh/id-rsa.pub" on your laptop for that.

Quote:
Originally Posted by RobInRockCity View Post
Based on the command they supposedly ran above, I'd say they overwrote MY public key with a new one.
Nope, different files (unless the wrong files were copied). The ~/.ssh/id-rsa.pub file on the server is for use by the account on the server to connect elsewhere. For your laptop to connect to the server, a copy of your public key should be added to ~/.ssh/authorized_keys.

Getting back to your real concern, I'd suggest you ask your hosting provider to send you a copy of the /etc/ssh/ssh_host_rsa_key.pub file. This should match the entry in your ~/.ssh/known_hosts file for that server.
 
Old 02-26-2016, 10:06 AM   #15
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 847
Blog Entries: 1

Rep: Reputation: 140Reputation: 140
Quote:
Originally Posted by cliffordw View Post
Getting back to your real concern, I'd suggest you ask your hosting provider to send you a copy of the /etc/ssh/ssh_host_rsa_key.pub file. This should match the entry in your ~/.ssh/known_hosts file for that server.
@OP: From what I have read the disconnect is between the keyboard and the seat. Not understanding how key-pairs work properly and what key you should be seeing. I would suggest you contact your hosting and work out your confusion with them. They can tell you exactly what you should be seeing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Questions orangesky Linux - Newbie 9 01-31-2010 01:16 PM
Three SSH questions bollweevil Linux - Networking 1 03-27-2009 11:15 PM
SSH Questions Meabert Linux - Software 2 12-28-2005 01:24 AM
SSH Questions Tezdread Linux - Networking 7 02-05-2003 04:34 PM
SSH Questions Stevy123 Linux - Networking 4 10-01-2002 05:52 PM


All times are GMT -5. The time now is 05:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration