Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-25-2006, 11:39 PM
|
#1
|
Senior Member
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109
Rep:
|
SSH RSA key fingerprint with network
Hi,
I have a network with several clients running sshd. I have different port pointing to each client to port 22. I was just wondering if there is any way to cope with the hazzle of rsa key fingerprint in this situation. Whenever I from the outside ssh to a different machine within the network I have to manually remove ~/.ssh/known_hosts before sshing to the client behind the firewall.
Any ideas?
|
|
|
08-26-2006, 11:36 AM
|
#2
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
I'm not sure I understand the dilemma, unless you're using
different users with the same IP address? Just can't seem
to get my head around this problem. Perhaps you can give
an example?
If it's a user issue, you can use "ssh -p 22 username@IP"
where username is the user on the target machine that
you ssh into.
Last edited by Bruce Hill; 08-26-2006 at 11:38 AM.
|
|
|
08-27-2006, 05:24 AM
|
#3
|
Senior Member
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109
Original Poster
Rep:
|
It's a nated network which I am trying to reach from outside. I have several clients running sshd. So configed the firewall to redirect different ports to different clients (one including the box itself). So since I am sshing to the same ip no matter which computer I am trying to reach I get different fingerprints. I hoped that there would be a way around this. Like make fingerprint ip/port-specific instead of just ip-specific.
|
|
|
08-27-2006, 06:33 AM
|
#4
|
Member
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222
Rep:
|
why not push differnet ports for each sshd through your firewall.
|
|
|
08-27-2006, 07:00 AM
|
#5
|
Senior Member
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109
Original Poster
Rep:
|
Yes, that's what I've done. I have several ports open from outside on the firewall, pointing to port 22 on different clients. But here's the problem.
Client A can be reached from outside the network on port 1234
Client B can be reached from outside the network on port 4321
I ssh xx.xx.xx -p 1234 and it creates a fingerprint.
Next time I ssh xx.xx.xx.xx -p 4321 and now the fingerprint is wrong. So I have to rm ~/.ssh/known_hosts and run ssh xx.xx.xx.xx -p 4321 again and create a new fingerprint for client B.
You see the hazzle? The fingerprint does not care about me using different ports, it is the same IP address and therefore the fingerprint is wrong. I would like to have something like this:
xx.xx.xx.xx:1234 uses fingerprint A
xx.xx.xx.xx:4321 uses fingerprint B
Now whenever I ssh to either client a or b it uses the correct fingerprint for that client and I don't have to manually remove known_hosts and recreate the fingerprint each time I ssh to a different client.
|
|
|
09-04-2006, 10:56 PM
|
#6
|
Member
Registered: Jul 2004
Location: Mesquite, Texas
Distribution: currently retired
Posts: 31
Rep:
|
I'm currently seeking this solution also, as I have many SSH daemons in a NAT'd LAN (running under one public IP address), in which I would like to access independent of a central daemon (SSH'ing to one, then hopping to another, to avoid the known_hosts issue).
|
|
|
09-06-2006, 07:43 PM
|
#7
|
Senior Member
Registered: Sep 2003
Posts: 3,171
Rep:
|
Either:
(1) only ssh into one machine, then ssh from that machine to your desired target elsewhere in the LAN or:
(2) set up different user IDs on your computer and su to the appropriate user ID in order to ssh into the appropriate box. For instance, if the desired target computer is named BigBox, then set up a userID BigBoxID on your machine and from a shell window su BigBoxID in order to ssh into BigBox. This is how I do it.
|
|
|
09-06-2006, 07:53 PM
|
#8
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
You don't even have to su to BigBox, if you do like I
posted above ^^^ and add "username@IP".
In that example you ssh into port whatever as username@IP.
I do this when working on client networks remotedly and I
need something off my server. It allows me to ssh into a
non-standard port (the only one open in my router) to my
server. If you have the username on the machine to which
you login, it should not require a new key each time.
Since the ssh key is created per username on host, this
seems to be a solution.
|
|
|
09-08-2006, 05:51 PM
|
#9
|
Senior Member
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109
Original Poster
Rep:
|
What if I have the same nickname on all different machines within the LAN?
So:
(cmds issued from 81.3.2.1 which is outside the NATed network where 217.1.1.1 acts as the gateway)
ephracis $ ssh ephracis@217.1.1.1 (normal)
ephracis $ ssh ephracis@217.1.1.1 -p 1002 -> ephracis@192.168.0.2:22
ephracis $ ssh ephracis@217.1.1.1 -p 1003 -> ephracis@192.168.0.3:22
ephracis $ ssh ephracis@217.1.1.1 -p 1004 -> ephracis@192.168.0.4:22
ephracis $ ssh ephracis@217.1.1.1 -p 1005 -> ephracis@192.168.0.5:22
Would they "share" the same in known_hosts and therefore requirer me to remove .ssh/known_hosts everytime I need to access a different NATed computer on the LAN?
I understand that using a different local user to ssh into each machine would create a different ~/.ssh/known_hosts and work, it seems like a waste of space to use a user just for that. Can't I somehow separate the fingerprints for each port on 217.1.1.1? Or doesn't OpenSSH support that? If so, is there a good reason for that?
Last edited by Ephracis; 09-08-2006 at 05:52 PM.
|
|
|
09-08-2006, 05:54 PM
|
#10
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
It is my understanding that the fingerprint is created for the user. If that's so, you can login to any port with that username and use the same key. Why don't you just try it?
NB: You must have ephracis on each separate machine.
|
|
|
09-10-2006, 11:33 AM
|
#11
|
Senior Member
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109
Original Poster
Rep:
|
Quote:
Originally Posted by Bruce Hill
It is my understanding that the fingerprint is created for the user. If that's so, you can login to any port with that username and use the same key. Why don't you just try it?
NB: You must have ephracis on each separate machine.
|
Not sure I am following you here. The fingerprint is created in ~/.ssh/known_hosts so it is specific for the user on the local machine which is located outside the NATed network.
But since I have several different machines that I ssh into (which are located inside the NATed network) I have several different fingerprints.
How do these fingerprints work and how are they stored in known_hosts? Because as it is now these different fingerprints overwrite each other in known_hosts. They can't live side-by-side (not if they share the same ip, and that's exactly what machines behind a NATed gateway do).
So since all my machines share the same IP they share the same entry in known_hosts, giving me headache. Is there a way to distinguish them and make each fingerprint (for each machine within the NATed network) exist at the same time, in known_hosts. And then make ssh use the right fingerprint for the right machine (they are still all accessed via the same public ip from my machine, outside the network).
Is this possible or even possible to implement? I am no expert in the security that known_hosts creates but it sure gives me problems when I have several fingerprints for one IP.
|
|
|
09-10-2006, 08:31 PM
|
#12
|
HCL Maintainer
Registered: Jun 2003
Location: McCalla, AL, USA
Distribution: Arch, Gentoo
Posts: 6,941
Rep:
|
I think what coolb posted way back might be the answer. For my LAN I have port forwarding setup to specific boxen -- I think port forwarding is what you want.
From the following output you supplied:
Code:
(cmds issued from 81.3.2.1 which is outside the NATed network where 217.1.1.1 acts as the gateway)
ephracis $ ssh ephracis@217.1.1.1 (normal)
ephracis $ ssh ephracis@217.1.1.1 -p 1002 -> ephracis@192.168.0.2:22
ephracis $ ssh ephracis@217.1.1.1 -p 1003 -> ephracis@192.168.0.3:22
ephracis $ ssh ephracis@217.1.1.1 -p 1004 -> ephracis@192.168.0.4:22
ephracis $ ssh ephracis@217.1.1.1 -p 1005 -> ephracis@192.168.0.5:22
it would require you to:
forward ssh on port 1002 to 192.168.0.2
forward ssh on port 1003 to 192.168.0.3
forward ssh on port 1004 to 192.168.0.4
forward ssh on port 1005 to 192.168.0.5
Then you would login as I wrote before, i.e.:
"ssh -p 1002 ephracis@217.1.1.1"
which you realize means the user ephracis logs in to 217.1.1.1 to port 1002,
which forwards to the computer on your LAN at 192.168.0.2.
And have you read this from "man ssh" ?
Code:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocat-
ing a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can
also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by
enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance
with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of
``localhost'' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be
available from all interfaces
Sorry if I'm still off track ...
|
|
|
09-10-2006, 09:48 PM
|
#13
|
Member
Registered: Sep 2004
Posts: 56
Rep:
|
Do you mean this?
ssh your_username@yourdomain.com -p 22 -o StrictHostKeyChecking=no
|
|
|
09-10-2006, 09:56 PM
|
#14
|
Senior Member
Registered: Jul 2003
Location: Mississippi USA
Distribution: Gentoo
Posts: 2,058
Rep:
|
|
|
|
09-11-2006, 05:11 AM
|
#15
|
Member
Registered: Nov 2005
Posts: 144
Rep:
|
a solution
Quote:
Originally Posted by Ephracis
(...)
How do these fingerprints work and how are they stored in known_hosts? Because as it is now these different fingerprints overwrite each other in known_hosts. They can't live side-by-side (not if they share the same ip, and that's exactly what machines behind a NATed gateway do).
|
The fingerprints are used to guard against man in the middle attacks. Since ssh logins usually work over the internet (an insecure connection), someone could hijack your connection. When you try to log into yourmachine.com, he could get "in the middle" and return your challenge as if he was yourmachine.com. That way, he could get hold of your login password.
To make this attack harder, ssh stores the fingerprint of the server's public key on thefirst connection attempt. Yopu will see a prompt like:
Code:
The authenticity of host 'eisen (137.43.366.64)' can't be established.
RSA key fingerprint is cf:55:30:31:7f:f0:c4:a0:9a:02:1d:1c:41:cf:63:cf.
Are you sure you want to continue connecting (yes/no)?
When you enter yes, ssh will add teh fingerprint to your known_hosts file. you will see
Code:
Warning: Permanently added 'eisen,137.43.366.64' (RSA) to the list of known hosts.
The next time you login, ssh will check wether the host key has changed. A changing host key usually indicates a man in the middle attack, and ssh refuses to connect.
However, I found a solution:
If there are several different fingerprints in known_hosts for the same host (IP), ssh will connect if at least one of them is correct. So what you should do is
Code:
# 1.) move your known_hosts file to a different filename
mv .ssh/known_hosts .ssh/known_hosts.old
# 2.) connect to computer #1, so its host key is written to the (now empty) known_hosts file
ssh you@yourfirstmachine -p port1
# 3.) add the new host key fingerprint to the old known_hosts file
cat .ssh/known_hosts >>.ssh/known_hosts.old
# 4.) remove the new known_hosts file
rm .ssh/known_hosts
# Now you should repeat steps 2-4 for each computer in you nated network
# At the end, you simply move the old known_hosts file with the added keys back again
mv .ssh/known_hosts.old .ssh/known_hosts
If you don't connect to any other ssh servers, you could skip step 1 and simply remove your old known_hosts file.
The above approach worked with my ssh (Version OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004). I hope it works for you also.
Regards,
Lotharster
Last edited by Lotharster; 09-11-2006 at 05:51 AM.
|
|
|
All times are GMT -5. The time now is 08:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|