LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-26-2016, 12:57 PM   #16
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by lazydog View Post
@OP: From what I have read the disconnect is between the keyboard and the seat. Not understanding how key-pairs work properly and what key you should be seeing. I would suggest you contact your hosting and work out your confusion with them. They can tell you exactly what you should be seeing.
If I thought my web host was able to competently help, I wouldn't be here...
 
Old 02-26-2016, 01:02 PM   #17
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cliffordw View Post
You can see the server's key as a non-root user by running
Code:
ssh-keyscan localhost > /tmp/x && ssh-keygen -lf /tmp/x && rm /tmp/x
Can you explain what that code does and where I would run it? (Sorry, I'm not a system admin)


Quote:
Originally Posted by cliffordw View Post
There is a server key, used by sshd to identify the server. Separate from that individual users can have user keys, which allows them to authenticate
without passwords.
The command above created a key pair for your user on the server. This is not the same thing as the server's host key. This key would only be of any use if you want to connect from the server to somewhere else, and plays no role at all in the connection from your laptop to the server.
So my web host gave me the wrong info...


Quote:
Originally Posted by cliffordw View Post
This is where the confusion lies, yes. You're still off the mark, though ;-) The fingerprint you get asked to confirm is the HOST key, not the USER key.

You would not need their help to get the fingerprint for the key you generated anyway; simply run "ssh-keygen -lf ~/.ssh/id-rsa.pub" on your laptop for that.
What do I need to do to get a fingerprint that I can compare against the fingerprint I see when I first try to SSH in to my server?


Quote:
Originally Posted by cliffordw View Post
Getting back to your real concern, I'd suggest you ask your hosting provider to send you a copy of the /etc/ssh/ssh_host_rsa_key.pub file. This should match the entry in your ~/.ssh/known_hosts file for that server.
Is it safe to do that via email?

Would I be giving away details of my server or keys that I shouldn't?
 
Old 02-26-2016, 01:48 PM   #18
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by RobInRockCity View Post
What do I need to do to get a fingerprint that I can compare against the fingerprint I see when I first try to SSH in to my server?
That would the command cliffordw just gave you:
Code:
ssh-keyscan localhost > /tmp/x && ssh-keygen -lf /tmp/x && rm /tmp/x
Run it on the VPS, it will print out the fingerprint that you were shown, and accepted, when you first tried to ssh into the system.

If you want to know what it does, there are three parts:
1) ssh-keyscan localhost > /tmp/x
This dumps out the server key for the system on which you run the command into a file called "x" located in /tmp/. This would be the same as running "cp /etc/ssh/ssh_host_rsa_key.pub /tmp/x", which is the file I asked you to look at earlier and you just assumed you wouldn't be able to and didn't try...the public key files are world-readable, you don't need to be root.

2) ssh-keygen -lf /tmp/x
The -f flag tells it to read from the provided file, the -l flag tells it to print the fingerprint

3) rm /tmp/x
Cleans up the temporary file that you created with #1.

All of which could be shortened to simply:
Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

Last edited by suicidaleggroll; 02-26-2016 at 01:54 PM.
 
Old 02-26-2016, 03:32 PM   #19
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
suicidaleggroll,

I was trying to follow your instructions, but I have the following issue in Terminal when I try to ssh into my VPS. Here is what is happening...

Code:
user1s-MacBook-Pro:~ user1$ ssh vps-user@111.222.333.44 -p 22

The authenticity of host '111.222.333.44' can't be established.
RSA key fingerprint is 3c:91:bb:81:ef:23:f1:b2:87:a5:2a:10:e8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '111.222.333.44' (RSA) to the list of known hosts.

vps-user@111.222.333.44's password:

Why is it asking for a password?? The whole point of setting up a public/private key pair was so I just have to type in my passphrase on the private key, and NOT enter my cpanel password.

This is all very frustrating...
 
Old 02-26-2016, 03:48 PM   #20
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Permissions are the usual cause.

On the remote server, run the following:
Code:
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 750 ~
I'm assuming you already put your laptop's public key into ~/.ssh/authorized_keys on the server.
 
Old 02-26-2016, 06:52 PM   #21
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
Permissions are the usual cause.

On the remote server, run the following:
Code:
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 750 ~
Dumb question, but how do I do that??

I have a VPS with CentOS6 and cPanel, but no Root access of my own. I thought the way I would execute your code above for the server key was supposed to be done after I SSH'ed into my VPS, but then I got that password issue.

So where and how do I run the chmod commands you recommend?


Quote:
Originally Posted by suicidaleggroll View Post
I'm assuming you already put your laptop's public key into ~/.ssh/authorized_keys on the server.
No. I generated the key pair on my MacBook, and then I imported the public key into cPanel > Security > SSH Access > Manage Keys

So I can see my public key in cPanel, but I didn't do anything with ~/.ssh/authorized_keys

You'll have to help explain this to me as I learn all about Sys Admin stuff!
 
Old 02-26-2016, 08:05 PM   #22
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
I know nothing about cPanel, can't help you there.

You said you were prompted for a password, did you enter it? Do you know it?
 
Old 02-26-2016, 08:14 PM   #23
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
I know nothing about cPanel, can't help you there.

You said you were prompted for a password, did you enter it? Do you know it?
Yes, I know my cPanel password, but I didn't enter anything for fear my SSH connection is broken and a hacker might see it - or maybe I have already been hacked.
 
Old 02-26-2016, 08:38 PM   #24
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
The chances of that are incredibly low. Are you connecting using the domain name or IP address? If the IP, then the chances are practically non-existent.
 
Old 02-26-2016, 09:18 PM   #25
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
The chances of that are incredibly low. Are you connecting using the domain name or IP address? If the IP, then the chances are practically non-existent.
Think I am making some progress...

I took a chance and entered my password into SSH since my key pair stopped working.

At the command prompt on my server, I did this...

vps-user@111.222.333.44 [~}# ls

I see...

etc/
.ssh/

In etc/ is a directory called mydomain.com but there is nothing in it.

In .ssh/ I see...
authorized_keys
authorized_keys2
id_rsa.pub


I think this is one problem. Why do I have 2 authorized_key files?

I built a spreadsheet with two input fields (i.e. "Fingerprint from Web-Host" and "Fingerprint from Terminal") and created a formula to show MATCH/NO MATCH.

From there I went into TextWrangler and pasted the KEY from my MacBook's ~/.ssh/known_hosts file into "Fingerprint from Terminal".

Then I proceeded to run...

cat authorized_keys
cat authorized_keys2
cat id_rsa.pub

...and pasted the contents of each into the "Fingerprint from Web-Host" field. (In this case I am comparing KEYS and not fingerprints.)

There was NO MATCH in any of the three comparisons?!

So what is going on here???

Last edited by RobInRockCity; 02-26-2016 at 09:20 PM.
 
Old 02-27-2016, 08:56 AM   #26
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
The fingerprint is not the public key. The fingerprint is calculated from the public key, and you've been given the command to do this calculation THREE TIMES already.

And as has already been explained to you, nothing you will find in ~/.ssh on the server has anything to do with this question, at all. The key you are looking for, the one that has to do with the server proving it is who it says it is, is in /etc/ssh.

Last edited by suicidaleggroll; 02-27-2016 at 08:59 AM.
 
Old 02-27-2016, 09:05 AM   #27
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,120

Rep: Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270Reputation: 2270
authorized_keys2 is not used by default by any tool, it can only be a backup or something like that.
 
Old 02-27-2016, 11:56 AM   #28
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
The fingerprint is not the public key. The fingerprint is calculated from the public key,
When have I ever said that the keys were the fingerprint??


Quote:
Originally Posted by suicidaleggroll View Post
and you've been given the command to do this calculation THREE TIMES already.
And I ran it.


Quote:
Originally Posted by suicidaleggroll View Post
And as has already been explained to you, nothing you will find in ~/.ssh on the server has anything to do with this question, at all. The key you are looking for, the one that has to do with the server proving it is who it says it is, is in /etc/ssh.
Nothing personal, but the conversation would work better if people answered questions before moving on.

The conversation as evolved as I learn more, and I am taking people's advice and asking questions along the way to learn more.

Last edited by RobInRockCity; 02-27-2016 at 11:59 AM.
 
Old 02-27-2016, 12:01 PM   #29
RobInRockCity
Member
 
Registered: Feb 2015
Posts: 141

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by cliffordw View Post
Hi again,

As mentioned in your other question, this is the MD5 hash of the server's public key.

The server keys are usually in /etc/ssh/ssh_host_{dsa,rsa}. You can obtain the fingerprint by running:

Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
# and
ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
Which of these keys get used, and thus which fingerprint you get presented with, is determined by a negotiation between the client and server, depending on a number of configuration settings on both ends.
I ran this code - after spent Friday night trying to figure out how to do command line - and it worked.

What I don't understand is why I can't see this path in Terminal?

(I explained this in another post, but it seems like my questions and comments get skipped a lot.)

How can I run that command when there is no visiable directory structure or file there?
 
Old 02-27-2016, 12:31 PM   #30
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by RobInRockCity View Post
When have I ever said that the keys were the fingerprint??
Sorry, I misread your post. I thought you were comparing the keys in authorized_keys, known_hosts, etc. to the fingerprint the web host sent you. I see now that is not the case.

Quote:
Originally Posted by RobInRockCity
What I don't understand is why I can't see this path in Terminal?

(I explained this in another post, but it seems like my questions and comments get skipped a lot.)

How can I run that command when there is no visiable directory structure or file there?
I just re-read the thread and I do not see where you asked this earlier. If I missed it I apologize, but I'm not seeing it anywhere.
That said, I don't understand the question. What can't you see in the terminal? There's no directory structure or file where? Best guess at interpreting your question is that you're confused about the difference between relative and absolute paths:
http://www.linuxnix.com/abslute-path...-in-linuxunix/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Questions orangesky Linux - Newbie 9 01-31-2010 02:16 PM
Three SSH questions bollweevil Linux - Networking 1 03-28-2009 12:15 AM
SSH Questions Meabert Linux - Software 2 12-28-2005 02:24 AM
SSH Questions Tezdread Linux - Networking 7 02-05-2003 05:34 PM
SSH Questions Stevy123 Linux - Networking 4 10-01-2002 06:52 PM


All times are GMT -5. The time now is 06:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration