LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 10-29-2009, 02:10 AM   #1
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Rep: Reputation: 47
SSH host keys are not being read correctly from .ssh/known_hosts.


I'm having an annoying little issue logging in to my Linux box at work from one of the other servers.

every time I log in, I get the following prompt:

Code:
The authenticity of host '10.11.4.40 (10.11.4.40)' can't be established.
RSA key fingerprint is 7f:b5:f6:3c:36:72:41:4d:0a:f0:f7:f2:36:50:1b:d6.
Are you sure you want to continue connecting (yes/no)?
If I reply 'yes', I see the following:

Code:
Warning: Permanently added '10.11.4.40' (RSA) to the list of known hosts.
I expect to see this the first time that I log in to a server, once added to known_hosts, I expect that I will not be prompted again, but I am, every single time I log in.

The RSA key fingerprint is always the same, I get the following repeated over and over in .ssh/known_hosts:

Code:
10.11.4.40 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5SwkwWWJLg+HTttBIwM6SBj0wVhdNT0Y9R7BTOKCTFSYUzYxD0AW2HWaoe33y67fnqMmz2h+Je7AQI4m5YU+BusQ1WWG8xDRplezCx7ZBQxdz7srMWVSQ5dJcHRWzimaUjjOUZDDZMVz2BC+7bR9eAV78KYprRqT1dNGVw0klU8OsKAQmOTe5wBoW5n99/Au91DiwOHyM0s7sdoAe7kzvpsPa+CpJwiTh7On1x/rfcb2EeirpAjbIHyonO1lRlPI+doEsmnLttKKSMm5inGtMt1WGhfbYQwN+XB5/D8hUPMBYr4MMvjRIgaQk4RqC32NnZri8VEDXIx7yBo2QGPI9w==
10.11.4.40 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5SwkwWWJLg+HTttBIwM6SBj0wVhdNT0Y9R7BTOKCTFSYUzYxD0AW2HWaoe33y67fnqMmz2h+Je7AQI4m5YU+BusQ1WWG8xDRplezCx7ZBQxdz7srMWVSQ5dJcHRWzimaUjjOUZDDZMVz2BC+7bR9eAV78KYprRqT1dNGVw0klU8OsKAQmOTe5wBoW5n99/Au91DiwOHyM0s7sdoAe7kzvpsPa+CpJwiTh7On1x/rfcb2EeirpAjbIHyonO1lRlPI+doEsmnLttKKSMm5inGtMt1WGhfbYQwN+XB5/D8hUPMBYr4MMvjRIgaQk4RqC32NnZri8VEDXIx7yBo2QGPI9w==
10.11.4.40 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5SwkwWWJLg+HTttBIwM6SBj0wVhdNT0Y9R7BTOKCTFSYUzYxD0AW2HWaoe33y67fnqMmz2h+Je7AQI4m5YU+BusQ1WWG8xDRplezCx7ZBQxdz7srMWVSQ5dJcHRWzimaUjjOUZDDZMVz2BC+7bR9eAV78KYprRqT1dNGVw0klU8OsKAQmOTe5wBoW5n99/Au91DiwOHyM0s7sdoAe7kzvpsPa+CpJwiTh7On1x/rfcb2EeirpAjbIHyonO1lRlPI+doEsmnLttKKSMm5inGtMt1WGhfbYQwN+XB5/D8hUPMBYr4MMvjRIgaQk4RqC32NnZri8VEDXIx7yBo2QGPI9w==
I tried deleting the known_hosts file, but that didn't help.

Anyone have any ideas about what would cause this?

[To the friendly moderators: wasn't sure if this was 'security' or 'networking' feel free to move as you see fit].
 
Old 10-29-2009, 03:16 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Sorry, I thought you were asking about rsa private keys, but you're not, so my original answer is irrelevant... Can't think of a positive reason to see what you're seeing, doesn't fit in with common sense, unless maybe ssh is not able to read back the contents of the file? Not sure that really makes any sense TBH, but what are the rights on the file and ~/.ssh? also what if you set StrictHostKeyChecking to yes or no? Certainly appears to be client side, so add on a whole heap of -v's to the ssh command and read through the output too.


And this is not a networking question, it's not about routers, switches, ip addresses. moved to Linux - Software.

Last edited by acid_kewpie; 10-29-2009 at 03:29 AM.
 
Old 10-29-2009, 08:57 AM   #3
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by acid_kewpie View Post
doesn't fit in with common sense, unless maybe ssh is not able to read back the contents of the file? Not sure that really makes any sense TBH, but what are the rights on the file and ~/.ssh?
Yeah, that was one of my first thoughts... both in terms of not making sense, and then in terms of permissions. Here they are:

Code:
 Thu Oct 29 08:05:24 bchittenden@prodcbridge02:~
> ls -lad .ssh
drwx------ 2 bchittenden FooCoUsers 4096 2009-10-29 01:09 .ssh
 Thu Oct 29 08:05:56 bchittenden@prodcbridge02:~
> ls -lad .ssh/known_hosts 
-rwx------ 1 bchittenden FooCoUsers 1568 2009-10-29 01:58 .ssh/known_hosts
So 'bchittenden' has full access to the file. Furthermore, the known_hosts file is getting written to every time I try to log in to the other box, so I'm pretty sure that it's doing the checking under the correct owner.

Quote:
also what if you set StrictHostKeyChecking to yes or no?
It doesn't complain as loudly, but it still isn't working as I'd expect it to...

Code:
 Thu Oct 29 08:18:43 bchittenden@prodcbridge02:~
> ssh -o StrictHostKeyChecking=no $cribbage
Warning: Permanently added '10.11.4.40' (RSA) to the list of known hosts.
(btw, I don't have access to /etc/hosts on prodcbridge02, hence $cribbage == 10.11.4.40 ... I think that there's a better way to do this, but it works for now).

it shouldn't have to do this: "Warning: Permanently added '10.11.4.40' (RSA) to the list of known hosts."

...plus, I don't really want to turn of StrictHostKeyChecking in an ongoing basis, just 'cause.

Quote:
Certainly appears to be client side, so add on a whole heap of -v's to the ssh command and read through the output too.
I've cut out a chunk of the results, this is the part that seems relevant:

Code:
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/bchittenden/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/bchittenden/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 0 for host 10.11.4.40
debug3: check_host_in_hostfile: filename /home/bchittenden/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /home/bchittenden/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug2: no key of type 2 for host 10.11.4.40
The authenticity of host '10.11.4.40 (10.11.4.40)' can't be established.
RSA key fingerprint is 7f:b5:f6:3c:36:72:41:4d:0a:f0:f7:f2:36:50:1b:d6.
Still baffled. Could it be that the host key on $cribbage be type 1, and the ssh client on prodcbridge01 is only checking type 0 and type 2? (I'm speaking out of alternative orifices here, I don't even know what types 0 and 2 are, or if type 1 even exists).

ok... from /etc/ssh/sshd_config on cribbage:

Code:
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
Both files exist, are owned by root, and have permission 0600. I do know that corporate policy forbids use of DSA, but that shouldn't matter, given that the RSA host key exists.

Quote:
And this is not a networking question, it's not about routers, switches, ip addresses. moved to Linux - Software.
Thanks.
 
Old 10-29-2009, 05:40 PM   #4
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Original Poster
Rep: Reputation: 47
Couple more things that I've tried:

verified ssh_host_rsa_key.pub:

Code:
> ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 7f:b5:f6:3c:36:72:41:4d:0a:f0:f7:f2:36:50:1b:d6 /etc/ssh/ssh_host_rsa_key.pub
This matches the fingerprint that I'm seeing on prodcbridge02, which is a good thing.

I also tried using 'CheckHostIP=yes', this didn't make a difference.

Code:
> ssh -o CheckHostIP=yes $cribbage
The authenticity of host '10.11.4.40 (10.11.4.40)' can't be established.
RSA key fingerprint is 7f:b5:f6:3c:36:72:41:4d:0a:f0:f7:f2:36:50:1b:d6.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
 
  


Reply

Tags
fingerprint, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unwanted keys showing up in /root/.ssh/known_hosts zapcojake Linux - Security 1 01-31-2009 04:43 AM
Distributing SSH host keys for password-less login kenneho Linux - Security 6 09-16-2008 07:52 AM
SSH host keys VS SSH keys kenneho Linux - Security 3 09-11-2008 07:03 AM
SSH - known_hosts ... Quick editing tools available? corrosivemisery Linux - Networking 1 04-17-2008 06:30 PM
ssh known_hosts question lthaus Linux - Security 1 12-08-2004 10:07 PM


All times are GMT -5. The time now is 06:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration