Questions about SSH
When I log into a server (that I own) for the first time using SSH, Terminal says the server can not be verified and it displays a fingerprint.
Where does the "fingerprint" that is displayed in Terminal come from? From my laptop or from the server? |
That is from the server.
|
if I understood it well: fingerprint comes from the server and stored on the client. That way ssh can inform you if you ssh to the same server name but that was replaced in the meantime.
see ~/.ssh/known_hosts |
Hi again,
As mentioned in your other question, this is the MD5 hash of the server's public key. The server keys are usually in /etc/ssh/ssh_host_{dsa,rsa}. You can obtain the fingerprint by running: Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub |
The reason for this is to protect against man-in-the-middle attacks. The first time you connect to a server it stores its key. If an imposter machine comes in, takes over the IP of the remote server (or hijacks the DNS to point the domain to a new location), and starts up a fake SSH server process in order to steal your username and password, as soon as you try to connect to it you'll be notified that this is not the same server you connected to before.
|
Quote:
If the fingerprint is created by using the public key on my server, which public key are we talking about? Is this the public key that was generated on my laptop and then uploaded onto my server? Or is this possibly a public key that was generated on the server by my web host? Follow me? |
Quote:
I have another VPS with the same host. This is how I recall things working when I set that one up... - I ran this on my laptop: ssh-keygen -t rsa -b 2048 - I uploaded the public key from the above command to my VPS - I authorized the public key. - I went into Terminal and typed: ssh cpaneluser@myserveripaddress -p 22 - I got a message saying it couldn't verify the authenticity of the server at myserveripaddress - There was also a fingerprint displayed - presumably from my server - The problem is that when I went to compare this fingerprint displayed in Terminal during initial ssh login against the fingerprint my web host cliamed was my server, they did not match!! The web host could not explain why, and I was ultimately told, "You just have to blindly say 'yes' to that first message, so your laptop can connect to the VPS and then the VPS will send your public key (?) back to it and store it in the "known_hosts" file. I think my web host was wrong, and I should have been able to have matching fingerprints the first time I tried to log in!! What do you say about this? |
Quote:
|
Quote:
Quote:
FYI - when you connect to a server for the first time and accept the key, it gets placed in ~/.ssh/known_hosts on your local machine. You can open up that file and find the key for your server, and compare that to what you were told it should be by the web host (assuming that's the key the web host gave you). |
Quote:
8d:32:0E:9A:...... My web host was insistent that the fingerprint on my VPS was ___A____, but then why didn't I see that in terminal? Why would the fingerprint I saw in Terminal NOT match the fingerprint my web host emailed me not match, when I am 99.9% sure that I did connect to my VPS when I had to break down and blindly type "yes" and hit <enter> even though the fingerprints did not match? |
Quote:
Then what other fingerprint would level-2 tech support be finding for me and emailing me? The idea is that you call your web host n advance, they get YOUR vps's fingerprint, then you log in for the first time using SSH in Terminal, it fetches that SAME fingerprint from your vps, you verify that they match, and you type "yes" to sign on. THEN, the server passes the ____i forget which one____ back to your computer and writes it into the "known_hosts" file, so in the uture when you log in, you don't have to get that same prompt asking if the fingerprint is legitimate, right? This all boils down to either something is broken and that is why the fingerprints don't match, OR my web host is an idiot and can't get the the CORRECT fingerprint to compare to what SSH is showing me in Terminal. That is how I see this annoying issue... Thoughts? |
Maybe he gave you the rsa key, and due to your ssh settings you authenticated over dsa?
It doesn't have to be complicated, if you're concerned, just LOOK. On your local machine, open up ~/.ssh/known_hosts, find the system you're referring to here. The beginning will look something like: Code:
name-of-host ssh-rsa slihdlijaflafjlsdfljasf... Now log into your server, go to /etc/ssh, and open the applicable public key file, either ssh_host_dsa_key.pub or ssh_host_rsa_key.pub, or ssh_host_ed25519_key.pub, or whatever. It should match what's in your known hosts file. Now look at what the provider told you, maybe they gave you one of the other ones. |
Quote:
Quote:
111.222.3333.44 ssh-rsa AAAAB2MzbS7yp2E... Quote:
This past weekend, the web host supposedly ran this... # ssh-keygen -lf .ssh/id_rsa.pub As far as I know, that is creating a public/private key pair on the server. What in the hell does that have to do with the public key I created on my laptop and then installed on my VPS?????? Apparently that command generated this... 2048 06:ef:47:d7:d5:14... .ssh/id_rsa.pub (RSA) This is where I believe the problem is... I created a public/private key pair on my LAPTOP and then I installed the PUBLIC KEY onto my VPS. So when I asked the web host for my fingerprint, I wanted the fingerprint created from the public key THAT I CREATED ON MY LAPTOP. Based on the command they supposedly ran above, I'd say they overwrote MY public key with a new one. Follow me? (I think all of this being difficult falls onto my web host...) |
Quote:
Code:
ssh-keyscan localhost > /tmp/x && ssh-keygen -lf /tmp/x && rm /tmp/x Quote:
The command above created a key pair for your user on the server. This is not the same thing as the server's host key. This key would only be of any use if you want to connect from the server to somewhere else, and plays no role at all in the connection from your laptop to the server. Quote:
You would not need their help to get the fingerprint for the key you generated anyway; simply run "ssh-keygen -lf ~/.ssh/id-rsa.pub" on your laptop for that. Quote:
Getting back to your real concern, I'd suggest you ask your hosting provider to send you a copy of the /etc/ssh/ssh_host_rsa_key.pub file. This should match the entry in your ~/.ssh/known_hosts file for that server. |
Quote:
|
Quote:
|
Quote:
Quote:
Quote:
Quote:
Would I be giving away details of my server or keys that I shouldn't? |
Quote:
Code:
ssh-keyscan localhost > /tmp/x && ssh-keygen -lf /tmp/x && rm /tmp/x If you want to know what it does, there are three parts: 1) ssh-keyscan localhost > /tmp/x This dumps out the server key for the system on which you run the command into a file called "x" located in /tmp/. This would be the same as running "cp /etc/ssh/ssh_host_rsa_key.pub /tmp/x", which is the file I asked you to look at earlier and you just assumed you wouldn't be able to and didn't try...the public key files are world-readable, you don't need to be root. 2) ssh-keygen -lf /tmp/x The -f flag tells it to read from the provided file, the -l flag tells it to print the fingerprint 3) rm /tmp/x Cleans up the temporary file that you created with #1. All of which could be shortened to simply: Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub |
suicidaleggroll,
I was trying to follow your instructions, but I have the following issue in Terminal when I try to ssh into my VPS. Here is what is happening... Code:
user1s-MacBook-Pro:~ user1$ ssh vps-user@111.222.333.44 -p 22 Why is it asking for a password?? The whole point of setting up a public/private key pair was so I just have to type in my passphrase on the private key, and NOT enter my cpanel password. This is all very frustrating... |
Permissions are the usual cause.
On the remote server, run the following: Code:
chmod 600 ~/.ssh/authorized_keys |
Quote:
I have a VPS with CentOS6 and cPanel, but no Root access of my own. I thought the way I would execute your code above for the server key was supposed to be done after I SSH'ed into my VPS, but then I got that password issue. So where and how do I run the chmod commands you recommend? Quote:
So I can see my public key in cPanel, but I didn't do anything with ~/.ssh/authorized_keys You'll have to help explain this to me as I learn all about Sys Admin stuff! |
I know nothing about cPanel, can't help you there.
You said you were prompted for a password, did you enter it? Do you know it? |
Quote:
|
The chances of that are incredibly low. Are you connecting using the domain name or IP address? If the IP, then the chances are practically non-existent.
|
Quote:
I took a chance and entered my password into SSH since my key pair stopped working. At the command prompt on my server, I did this... vps-user@111.222.333.44 [~}# ls I see... etc/ .ssh/ In etc/ is a directory called mydomain.com but there is nothing in it. In .ssh/ I see... authorized_keys authorized_keys2 id_rsa.pub I think this is one problem. Why do I have 2 authorized_key files? I built a spreadsheet with two input fields (i.e. "Fingerprint from Web-Host" and "Fingerprint from Terminal") and created a formula to show MATCH/NO MATCH. From there I went into TextWrangler and pasted the KEY from my MacBook's ~/.ssh/known_hosts file into "Fingerprint from Terminal". Then I proceeded to run... cat authorized_keys cat authorized_keys2 cat id_rsa.pub ...and pasted the contents of each into the "Fingerprint from Web-Host" field. (In this case I am comparing KEYS and not fingerprints.) There was NO MATCH in any of the three comparisons?! So what is going on here??? |
The fingerprint is not the public key. The fingerprint is calculated from the public key, and you've been given the command to do this calculation THREE TIMES already.
And as has already been explained to you, nothing you will find in ~/.ssh on the server has anything to do with this question, at all. The key you are looking for, the one that has to do with the server proving it is who it says it is, is in /etc/ssh. |
authorized_keys2 is not used by default by any tool, it can only be a backup or something like that.
|
Quote:
Quote:
Quote:
The conversation as evolved as I learn more, and I am taking people's advice and asking questions along the way to learn more. |
Quote:
What I don't understand is why I can't see this path in Terminal? (I explained this in another post, but it seems like my questions and comments get skipped a lot.) How can I run that command when there is no visiable directory structure or file there? |
Quote:
Quote:
That said, I don't understand the question. What can't you see in the terminal? There's no directory structure or file where? Best guess at interpreting your question is that you're confused about the difference between relative and absolute paths: http://www.linuxnix.com/abslute-path...-in-linuxunix/ |
Quote:
Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub If I ssh into my server I end up here... Code:
vps-user@mydomain.com [~] # If I then type... Code:
cd etc/ Code:
./ ../ cacheid mydomain.com/ And even if I look in the directory: mydomain.com/ I don't see anything in it. So I concur - and thank you guys - for the command to get the fingerprint for my server, but am curious why that command works when I don't see that directory structure or file in my VPS account. See? |
not etc but /etc (probably)
|
I repeat:
Best guess at interpreting your question is that you're confused about the difference between relative and absolute paths: http://www.linuxnix.com/abslute-path...-in-linuxunix/ "etc" is a relative path that depends on your current location. "/etc" is an absolute path that does not depend on your current location. Unless you are currently sitting in "/", they are not the same directory. Please read the link. |
Quote:
Quote:
I said above... Quote:
Would be nice if people answer my questions instead of talking around them... |
If the command ran without error, like you said it did, then the file does exist.
Run the following to see it: Code:
ls -l /etc/ssh/ssh_host_rsa_key.pub |
Quote:
|
Quote:
1) Log into the system 2) Run "pwd" |
Quote:
Code:
vps-user@mydomain.com [~]# Code:
cd ../ Code:
vps-user@mydomain.com [/home]# Code:
vps-user@mydomain.com [/home]# ls Code:
/bin/ls: cannot open directory .: Permission denied Which means that I am unable to navigate here to see that this exists... Code:
ls -l /etc/ssh/ssh_host_rsa_key.pub Yes I can run this, and yes it gives me the fingerprint, but that isn't what I asked... I asked why I can execute something I can't navigate to. |
You don't have read permission for /home, but you still have execute permission which allows you to traverse the directory structure. The permissions on /home say nothing about the permissions on /etc or /etc/ssh anyway. You can't do an ls in /home, but you can still cd up to /, perhaps ls there, cd to /etc, ls there, etc.
|
Quote:
|
All times are GMT -5. The time now is 02:43 AM. |