LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-14-2014, 10:01 PM   #1
ListenAndLearn
LQ Newbie
 
Registered: Aug 2014
Posts: 2

Rep: Reputation: Disabled
Question Why does SSH store the fingerprints of remote host when connecting for the first time


I was wondering why does ssh store the fingerprints of remote host when connecting for the first time?

I will appreciate a detailed response, can't figure it out.
 
Old 08-14-2014, 10:58 PM   #2
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
http://superuser.com/questions/42199...s-it-generated
 
Old 08-15-2014, 01:27 AM   #3
ListenAndLearn
LQ Newbie
 
Registered: Aug 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks for the reply EDDY1.

I like the information but still wonder, why does it HAVE to store the fingerprint on the FIRST time? Can't it be disabled?
Does it HAVE to store it for security purposes? How can I prevent it from storing it if I don't want it to be stored?

Last edited by ListenAndLearn; 08-15-2014 at 01:47 AM.
 
Old 08-15-2014, 01:46 AM   #4
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 3,876
Blog Entries: 1

Rep: Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998Reputation: 1998
Quote:
Originally Posted by ListenAndLearn View Post
I like the information but still wonder, why does it HAVE to store the fingerprint? Can't it be disabled?
Does it HAVE to store it for security purposes?
I really do not know SSH configs well enough to give the definitive answer, but in general, yes, it must store the fingerprint for security reasons - all features which rely on it would obviously break otherwise!

From man ssh:

Quote:
VERIFYING HOST KEYS
When connecting to a server for the first time, a fingerprint of the server's public key is
presented to the user (unless the option StrictHostKeyChecking has been disabled). Finger-
prints can be determined using ssh-keygen(1):

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

If the fingerprint is already known, it can be matched and verified, and the key can be
accepted. If the fingerprint is unknown, an alternative method of verification is available...
SSH is all about the keys, and fingerprinting is all about validating the keys, so it would seem to be pretty important!

Quote:
Originally Posted by ListenAndLearn View Post
How can I prevent it from storing it if I don't want it to be stored?
I think the better question would be, why would you want to disable it?
 
Old 08-15-2014, 02:13 AM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,602

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
It stores the public key from the server to check later. And on the first connection, you are asked to approve the addition - thus authenticating that the remote system is the one it claims to be.

This is done so that a "man in the middle" attack can't be done.
 
Old 08-15-2014, 08:50 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,340
Blog Entries: 12

Rep: Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730Reputation: 2730
ssh stores the fingerprint and uses it on subsequent connections to make sure that the computer is the same one you connected to previously.

When I have reloaded one of my computers and try to ssh into it, ssh will complain and block the connection because it knows the computer at the other end has changed. It will not allow the connection until I update or delete the ~/.ssh/known_hosts file.

Last edited by frankbell; 08-15-2014 at 08:51 PM.
 
Old 08-15-2014, 10:20 PM   #7
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 810

Rep: Reputation: 264Reputation: 264Reputation: 264
Quote:
Originally Posted by frankbell View Post
When I have reloaded one of my computers and try to ssh into it, ssh will complain and block the connection because it knows the computer at the other end has changed. It will not allow the connection until I update or delete the ~/.ssh/known_hosts file.
That's what I do. Just a simple "rm ~/.ssh/known_hosts" solves the problem.
 
Old 08-15-2014, 11:50 PM   #8
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Quote:
Originally Posted by maples View Post
That's what I do. Just a simple "rm ~/.ssh/known_hosts" solves the problem.
Better just to delete the particular line(s) in the known_hosts file that correspond to the server in question. That way you can still verify other existing servers you connect to.
 
Old 08-16-2014, 12:24 PM   #9
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
If you want to disable it, you can use /dev/null for the known hosts location and turn strict host key checking off. I typically do this for my own subnet so I don't get pestered with those messages when a laptop or some other device I'm connecting to on my LAN happens to change DHCP IPs.

IE: Something like this in .ssh/config
Code:
Host 192.168.1.*
   Cipher arcfour
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null
   LogLevel quiet
Of course replacing 192.168.1.* with your actual subnet.

Last edited by suicidaleggroll; 08-16-2014 at 12:37 PM.
 
Old 08-16-2014, 02:18 PM   #10
johnston73
LQ Newbie
 
Registered: Aug 2013
Posts: 7

Rep: Reputation: Disabled
Disabling these checks opens you up to vulnerabilities and you should never do this. If anything, when possible, you should use keys/pass-phrases versus passing your password to have a more secure setup.
 
Old 08-16-2014, 10:46 PM   #11
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 810

Rep: Reputation: 264Reputation: 264Reputation: 264
Quote:
Originally Posted by btmiller View Post
Better just to delete the particular line(s) in the known_hosts file that correspond to the server in question. That way you can still verify other existing servers you connect to.
The only "servers" that I ssh into are my actual server and my laptops (and 99.999% of the time it's within my hoe network)...so if one of those gets subjected to a man-in-the-middle attack, then I have a really big problem...

That said, I can see it as a valuable tool for people who ssh into remote servers that might actually be under a man-in-the-middle attack, so I see why you suggested to remove only the offending line.
 
Old 08-17-2014, 02:00 PM   #12
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Yup, I fairly regularly ssh into hundreds of machines at the place where I work. If one of their SSH keys changed, and it wasn't me or one of the other admins, I definitely want to know about it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't SSH to remote machine: Connection closed by remote host Avatar Linux - Networking 34 05-24-2013 10:28 AM
[SOLVED] Location of SSL Host key fingerprints zama Linux - Software 3 08-06-2012 03:04 AM
Fedora 10/unable to ssh out from box to remote host (SSH within LAN ok) huskeypm Linux - Networking 3 04-14-2009 08:37 PM
A question about rsa host key fingerprints lawrence_lee_lee Linux - Software 8 07-17-2008 10:58 PM
Connecting KSysGuard to a remote host. donovanv Linux - Software 1 05-19-2008 08:47 PM


All times are GMT -5. The time now is 02:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration