LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-25-2006, 11:39 PM   #1
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 50
SSH RSA key fingerprint with network


Hi,

I have a network with several clients running sshd. I have different port pointing to each client to port 22. I was just wondering if there is any way to cope with the hazzle of rsa key fingerprint in this situation. Whenever I from the outside ssh to a different machine within the network I have to manually remove ~/.ssh/known_hosts before sshing to the client behind the firewall.

Any ideas?
 
Old 08-26-2006, 11:36 AM   #2
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941

Rep: Reputation: 129Reputation: 129
I'm not sure I understand the dilemma, unless you're using
different users with the same IP address? Just can't seem
to get my head around this problem. Perhaps you can give
an example?

If it's a user issue, you can use "ssh -p 22 username@IP"
where username is the user on the target machine that
you ssh into.

Last edited by Bruce Hill; 08-26-2006 at 11:38 AM.
 
Old 08-27-2006, 05:24 AM   #3
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 50
It's a nated network which I am trying to reach from outside. I have several clients running sshd. So configed the firewall to redirect different ports to different clients (one including the box itself). So since I am sshing to the same ip no matter which computer I am trying to reach I get different fingerprints. I hoped that there would be a way around this. Like make fingerprint ip/port-specific instead of just ip-specific.
 
Old 08-27-2006, 06:33 AM   #4
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
why not push differnet ports for each sshd through your firewall.
 
Old 08-27-2006, 07:00 AM   #5
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 50
Yes, that's what I've done. I have several ports open from outside on the firewall, pointing to port 22 on different clients. But here's the problem.

Client A can be reached from outside the network on port 1234
Client B can be reached from outside the network on port 4321

I ssh xx.xx.xx -p 1234 and it creates a fingerprint.
Next time I ssh xx.xx.xx.xx -p 4321 and now the fingerprint is wrong. So I have to rm ~/.ssh/known_hosts and run ssh xx.xx.xx.xx -p 4321 again and create a new fingerprint for client B.

You see the hazzle? The fingerprint does not care about me using different ports, it is the same IP address and therefore the fingerprint is wrong. I would like to have something like this:

xx.xx.xx.xx:1234 uses fingerprint A
xx.xx.xx.xx:4321 uses fingerprint B

Now whenever I ssh to either client a or b it uses the correct fingerprint for that client and I don't have to manually remove known_hosts and recreate the fingerprint each time I ssh to a different client.
 
Old 09-04-2006, 10:56 PM   #6
Davus
Member
 
Registered: Jul 2004
Location: Mesquite, Texas
Distribution: currently retired
Posts: 31

Rep: Reputation: 15
I'm currently seeking this solution also, as I have many SSH daemons in a NAT'd LAN (running under one public IP address), in which I would like to access independent of a central daemon (SSH'ing to one, then hopping to another, to avoid the known_hosts issue).
 
Old 09-06-2006, 07:43 PM   #7
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Either:
(1) only ssh into one machine, then ssh from that machine to your desired target elsewhere in the LAN or:

(2) set up different user IDs on your computer and su to the appropriate user ID in order to ssh into the appropriate box. For instance, if the desired target computer is named BigBox, then set up a userID BigBoxID on your machine and from a shell window su BigBoxID in order to ssh into BigBox. This is how I do it.
 
Old 09-06-2006, 07:53 PM   #8
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941

Rep: Reputation: 129Reputation: 129
You don't even have to su to BigBox, if you do like I
posted above ^^^ and add "username@IP".

In that example you ssh into port whatever as username@IP.

I do this when working on client networks remotedly and I
need something off my server. It allows me to ssh into a
non-standard port (the only one open in my router) to my
server. If you have the username on the machine to which
you login, it should not require a new key each time.

Since the ssh key is created per username on host, this
seems to be a solution.
 
Old 09-08-2006, 05:51 PM   #9
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 50
What if I have the same nickname on all different machines within the LAN?

So:

(cmds issued from 81.3.2.1 which is outside the NATed network where 217.1.1.1 acts as the gateway)

ephracis $ ssh ephracis@217.1.1.1 (normal)
ephracis $ ssh ephracis@217.1.1.1 -p 1002 -> ephracis@192.168.0.2:22
ephracis $ ssh ephracis@217.1.1.1 -p 1003 -> ephracis@192.168.0.3:22
ephracis $ ssh ephracis@217.1.1.1 -p 1004 -> ephracis@192.168.0.4:22
ephracis $ ssh ephracis@217.1.1.1 -p 1005 -> ephracis@192.168.0.5:22

Would they "share" the same in known_hosts and therefore requirer me to remove .ssh/known_hosts everytime I need to access a different NATed computer on the LAN?

I understand that using a different local user to ssh into each machine would create a different ~/.ssh/known_hosts and work, it seems like a waste of space to use a user just for that. Can't I somehow separate the fingerprints for each port on 217.1.1.1? Or doesn't OpenSSH support that? If so, is there a good reason for that?

Last edited by Ephracis; 09-08-2006 at 05:52 PM.
 
Old 09-08-2006, 05:54 PM   #10
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941

Rep: Reputation: 129Reputation: 129
It is my understanding that the fingerprint is created for the user. If that's so, you can login to any port with that username and use the same key. Why don't you just try it?

NB: You must have ephracis on each separate machine.
 
Old 09-10-2006, 11:33 AM   #11
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by Bruce Hill
It is my understanding that the fingerprint is created for the user. If that's so, you can login to any port with that username and use the same key. Why don't you just try it?

NB: You must have ephracis on each separate machine.
Not sure I am following you here. The fingerprint is created in ~/.ssh/known_hosts so it is specific for the user on the local machine which is located outside the NATed network.

But since I have several different machines that I ssh into (which are located inside the NATed network) I have several different fingerprints.

How do these fingerprints work and how are they stored in known_hosts? Because as it is now these different fingerprints overwrite each other in known_hosts. They can't live side-by-side (not if they share the same ip, and that's exactly what machines behind a NATed gateway do).

So since all my machines share the same IP they share the same entry in known_hosts, giving me headache. Is there a way to distinguish them and make each fingerprint (for each machine within the NATed network) exist at the same time, in known_hosts. And then make ssh use the right fingerprint for the right machine (they are still all accessed via the same public ip from my machine, outside the network).

Is this possible or even possible to implement? I am no expert in the security that known_hosts creates but it sure gives me problems when I have several fingerprints for one IP.
 
Old 09-10-2006, 08:31 PM   #12
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941

Rep: Reputation: 129Reputation: 129
I think what coolb posted way back might be the answer. For my LAN I have port forwarding setup to specific boxen -- I think port forwarding is what you want.

From the following output you supplied:
Code:
(cmds issued from 81.3.2.1 which is outside the NATed network where 217.1.1.1 acts as the gateway)

ephracis $ ssh ephracis@217.1.1.1 (normal)
ephracis $ ssh ephracis@217.1.1.1 -p 1002 -> ephracis@192.168.0.2:22
ephracis $ ssh ephracis@217.1.1.1 -p 1003 -> ephracis@192.168.0.3:22
ephracis $ ssh ephracis@217.1.1.1 -p 1004 -> ephracis@192.168.0.4:22
ephracis $ ssh ephracis@217.1.1.1 -p 1005 -> ephracis@192.168.0.5:22
it would require you to:
forward ssh on port 1002 to 192.168.0.2
forward ssh on port 1003 to 192.168.0.3
forward ssh on port 1004 to 192.168.0.4
forward ssh on port 1005 to 192.168.0.5

Then you would login as I wrote before, i.e.:
"ssh -p 1002 ephracis@217.1.1.1"
which you realize means the user ephracis logs in to 217.1.1.1 to port 1002,
which forwards to the computer on your LAN at 192.168.0.2.

And have you read this from "man ssh" ?
Code:
     -L [bind_address:]port:host:hostport
             Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.  This works by allocat-
             ing a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to this port, the
             connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port forwardings can
             also be specified in the configuration file.  IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by
             enclosing the address in square brackets.  Only the superuser can forward privileged ports.  By default, the local port is bound in accordance
             with the GatewayPorts setting.  However, an explicit bind_address may be used to bind the connection to a specific address.  The bind_address of
             ``localhost'' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be
             available from all interfaces
Sorry if I'm still off track ...
 
Old 09-10-2006, 09:48 PM   #13
filex
Member
 
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
Do you mean this?

ssh your_username@yourdomain.com -p 22 -o StrictHostKeyChecking=no
 
Old 09-10-2006, 09:56 PM   #14
dalek
Senior Member
 
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Blog Entries: 2

Rep: Reputation: 79
Me wonders how long it will be before yourdomain.com starts getting spam. Those bots are going to find that.

 
Old 09-11-2006, 05:11 AM   #15
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 18
a solution

Quote:
Originally Posted by Ephracis
(...)
How do these fingerprints work and how are they stored in known_hosts? Because as it is now these different fingerprints overwrite each other in known_hosts. They can't live side-by-side (not if they share the same ip, and that's exactly what machines behind a NATed gateway do).
The fingerprints are used to guard against man in the middle attacks. Since ssh logins usually work over the internet (an insecure connection), someone could hijack your connection. When you try to log into yourmachine.com, he could get "in the middle" and return your challenge as if he was yourmachine.com. That way, he could get hold of your login password.

To make this attack harder, ssh stores the fingerprint of the server's public key on thefirst connection attempt. Yopu will see a prompt like:
Code:
The authenticity of host 'eisen (137.43.366.64)' can't be established.
RSA key fingerprint is cf:55:30:31:7f:f0:c4:a0:9a:02:1d:1c:41:cf:63:cf.
Are you sure you want to continue connecting (yes/no)?
When you enter yes, ssh will add teh fingerprint to your known_hosts file. you will see
Code:
Warning: Permanently added 'eisen,137.43.366.64' (RSA) to the list of known hosts.
The next time you login, ssh will check wether the host key has changed. A changing host key usually indicates a man in the middle attack, and ssh refuses to connect.

However, I found a solution:

If there are several different fingerprints in known_hosts for the same host (IP), ssh will connect if at least one of them is correct. So what you should do is

Code:
# 1.) move your known_hosts file to a different filename
mv .ssh/known_hosts .ssh/known_hosts.old
# 2.) connect to computer #1, so its host key is written to the (now empty) known_hosts file
ssh you@yourfirstmachine -p port1
# 3.) add the new host key fingerprint to the old known_hosts file
cat .ssh/known_hosts >>.ssh/known_hosts.old
# 4.) remove the new known_hosts file
rm .ssh/known_hosts
# Now you should repeat steps 2-4 for each computer in you nated network
# At the end, you simply move the old known_hosts file with the added keys back again
mv .ssh/known_hosts.old .ssh/known_hosts
If you don't connect to any other ssh servers, you could skip step 1 and simply remove your old known_hosts file.

The above approach worked with my ssh (Version OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004). I hope it works for you also.

Regards,

Lotharster

Last edited by Lotharster; 09-11-2006 at 05:51 AM.
 
  


Reply

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
failed ssh RSA key authentication jdarren Linux - Networking 15 07-06-2008 10:25 AM
SSH RSA key problem taiwf Linux - General 3 05-21-2006 09:33 PM
ssh rsa key changed after upgrade itsjustme Linux - General 11 11-06-2003 09:12 AM
ssh RSA key thanat0s Linux - Security 3 09-29-2003 09:51 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration