Problems authenticating SSH session

spangle1 · 11-10-2011, 12:42 PM

I'm having a conceptual problem that you may be able to assist with. The problem may be due to my misunderstanding of SSH concepts, or SSH technological implementation, or Shared Hosting, but here goes:

I've got a shared hosting account with GoDaddy, and they've got an SSH server which is set up in such a way that, from my terminal, I can "ssh www.myhosteddomainname.com -l myusername". This responds with an RSA key fingerprint and asks whether I want to continue connecting.

Now it's my understanding that the only way to be sure that this connection is indeed with GoDaddy as I hope it is, is to get GoDaddy to confirm the correct RSA key fingerprint, and check that this is the same as the one reported by the ssh client.

I've called GoDaddy to get this information, but they wouldn't give it to me. After an age on the phone, I'm not entirely clear what the reason is, because they seemed to give me many different reasons and none of them made any real sense to me.

The reasons varied from "we're unable to get the fingerprint from the server" to "we wouldn't be prepared to give that fingerprint over the phone".

So my question is this: Do I need to verify the fingerprint appearing in the SSH client against a fingerprint given to me by GoDaddy? If so, is there any way of doing this other than by getting GoDaddy to tell me what it is, and does it make sense that GoDaddy would provide SSH capabilities without being prepared to provide the fingerprint? If not, please could you provide some explanation of where I've misunderstood - or a link to a clear explanation, as I've already done a lot of reading, and find the subject a bit complicated, but thought I'd now understood it correctly.

Thanks in advance for your help.

smoker · 11-10-2011, 01:13 PM

You don't have to verify the host fingerprint. As long as you are sure you are connected to the correct server, just accept the fingerprint and log in. In future, if the fingerprint changes then you must investigate, as something has changed. You will find the fingerprints of all the ssh servers you connect to in a file called known_hosts.

Code:

ssh automatically maintains and checks a database containing identifica‐
     tion for all hosts it has ever been used with.  Host keys are stored in
     ~/.ssh/known_hosts in the user's home directory.  Additionally, the file
     /etc/ssh/ssh_known_hosts is automatically checked for known hosts.  Any
     new hosts are automatically added to the user's file.  If a host's iden‐
     tification ever changes, ssh warns about this and disables password
     authentication to prevent server spoofing or man-in-the-middle attacks,
     which could otherwise be used to circumvent the encryption.

spangle1 · 11-11-2011, 04:00 AM

Thanks for the prompt reply, smoker. But what I still don't understand is: how can I be absolutely sure that the response isn't from a spoofed server or man-in-the-middle attack - is there some logic that explains that this is infinitely less likely the first time you connect from a new computer / OS installation to a particular server, than on subsequent attempts?

I had thought that the behaviour envisaged by the architects of ssh/pki etc would be to get the fingerprint externally (out-of-band e.g. in person), similar to the way you might want to if you're dealing with digitally encrypted or signed files.