LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 11-10-2011, 12:42 PM   #1
spangle1
LQ Newbie
 
Registered: Nov 2011
Posts: 2

Rep: Reputation: Disabled
Problems authenticating SSH session


I'm having a conceptual problem that you may be able to assist with. The problem may be due to my misunderstanding of SSH concepts, or SSH technological implementation, or Shared Hosting, but here goes:

I've got a shared hosting account with GoDaddy, and they've got an SSH server which is set up in such a way that, from my terminal, I can "ssh www.myhosteddomainname.com -l myusername". This responds with an RSA key fingerprint and asks whether I want to continue connecting.

Now it's my understanding that the only way to be sure that this connection is indeed with GoDaddy as I hope it is, is to get GoDaddy to confirm the correct RSA key fingerprint, and check that this is the same as the one reported by the ssh client.

I've called GoDaddy to get this information, but they wouldn't give it to me. After an age on the phone, I'm not entirely clear what the reason is, because they seemed to give me many different reasons and none of them made any real sense to me.

The reasons varied from "we're unable to get the fingerprint from the server" to "we wouldn't be prepared to give that fingerprint over the phone".

So my question is this: Do I need to verify the fingerprint appearing in the SSH client against a fingerprint given to me by GoDaddy? If so, is there any way of doing this other than by getting GoDaddy to tell me what it is, and does it make sense that GoDaddy would provide SSH capabilities without being prepared to provide the fingerprint? If not, please could you provide some explanation of where I've misunderstood - or a link to a clear explanation, as I've already done a lot of reading, and find the subject a bit complicated, but thought I'd now understood it correctly.

Thanks in advance for your help.
 
Old 11-10-2011, 01:13 PM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
You don't have to verify the host fingerprint. As long as you are sure you are connected to the correct server, just accept the fingerprint and log in. In future, if the fingerprint changes then you must investigate, as something has changed. You will find the fingerprints of all the ssh servers you connect to in a file called known_hosts.

Code:
ssh automatically maintains and checks a database containing identifica‐
     tion for all hosts it has ever been used with.  Host keys are stored in
     ~/.ssh/known_hosts in the user's home directory.  Additionally, the file
     /etc/ssh/ssh_known_hosts is automatically checked for known hosts.  Any
     new hosts are automatically added to the user's file.  If a host's iden‐
     tification ever changes, ssh warns about this and disables password
     authentication to prevent server spoofing or man-in-the-middle attacks,
     which could otherwise be used to circumvent the encryption.
 
Old 11-11-2011, 04:00 AM   #3
spangle1
LQ Newbie
 
Registered: Nov 2011
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks for the prompt reply, smoker. But what I still don't understand is: how can I be absolutely sure that the response isn't from a spoofed server or man-in-the-middle attack - is there some logic that explains that this is infinitely less likely the first time you connect from a new computer / OS installation to a particular server, than on subsequent attempts?

I had thought that the behaviour envisaged by the architects of ssh/pki etc would be to get the fingerprint externally (out-of-band e.g. in person), similar to the way you might want to if you're dealing with digitally encrypted or signed files.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH concurrent session limit and idle session time out lasygsd Linux - Newbie 2 04-21-2009 10:11 PM
Logging in via SSH while authenticating against Active Directory. rurounikakita Linux - Enterprise 7 02-23-2008 09:57 PM
Problems with ssh communication, session is not ended jjsan Linux - Server 0 06-10-2007 04:39 PM
ssh over authenticating proxy? dave_blob Linux - Networking 2 08-02-2004 07:17 AM
SSH Redhat 8 Not Authenticating SteveT Linux - Networking 2 10-23-2003 05:44 AM


All times are GMT -5. The time now is 09:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration