Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Ubuntu 7.04, LFS 6.3 rc1 (living dangerously ;), Windows XP
Posts: 75
Rep:
Unsecuring SSH
I have two computers in my house- A desktop and a laptop. I like to have a ssh server going on the desktop so i can mess with things upstairs from the lappy if i want to.
Now, i just installed LFS alongside the existing ubuntu on the desktop. SSH on the ubuntu 7.04 laptop complains that the public key has changed, but i changed a setting in /etc/ssh/ssh_config to fix that.
Now, it whinges that "password authentication is disabled to avoid man-in-the-middle attacks" and i can't find a way around this.
I don't care about security here in any way, so i'd like to have ssh ignore this and connect anyway. How?
[...] i changed a setting in /etc/ssh/ssh_config to fix that.
What was it you changed?
The problem that you have is the two SSH servers both have different server keys. But as far as your SSH client is concerned it's the same machine regardless of which OS the desktop is running. So when you change OS it thinks the machine has changed. Each time it replaces the server key in it's local cache.
One thought is to give each OS on your desktop a different static IP. That way your client will think they're different machines and store their keys separately.
(another thought it to only connect to them by name. I *think* SSH attributes the key to the servers name or IP but not both)
But, if you don't care about security then just use telnet.
But, if you don't care about security then just use telnet.
Don't use that. Even if you didn't care about security, you shouldn't use it. Take a look at your SSH server/client configuration files, mostly just the server (/etc/ssh/sshd_config is the usual path), and don't start fooling around.
"I don't care about security" doesn't always make trouble for you yourself, but it can for others. Two good examples are viruses and email spam: they might not be your trouble today, but they are slowing networks down all over the world, so that way they're affecting you too. This is why security should never be laughed at. Computer viruses are mainly a Windows-user-problem, and some *fool* UNIX/Linux users think they aren't involved in any way, but the simple fact is that any machine letting that malware spread (as in not stop it) is a machine that is involved in spreading them, is hurt of them, and should do something about it.
When you reinstalled a new distro, a new key was generated. On the other computer, the known_hosts file has a line with the old information. You can simply remove the line in ~/.ssh/known_hosts for that computer and try the connection again.
While I can appreciate your position, we are talking about two machines inside of a private LAN, not servers exposed to the Internet.
It is certainly wise to practice good system security at all times, but on the other hand; if it is a completely private system, you can really do whatever you want.
I have a machine in my network that has no password for the root account, because it never connects to the Internet and is simply a machine I compile software on. I would certainly never set something like that up on a machine with access to the Internet, but for my current purposes, it works out fine.
b0uncer. My normally secure self is shamed by your diligence. You are indeed correct.
The mind set of "I'm inside my own network" is going to set you up for a fall at some point. What about other machines that connect out? I would guess that most machines that get compromised do so through a client. Windows machine on your network? Patches for all OSs up to date? Arbitrary code execution in Firefox?
Once one machine falls your whole network may as well be outside your firewall.
The first thing that I do when installing a new distro is to disable root ssh logins and create an "AllowUsers" entry in /etc/ssh/sshd_config. "AllowGroup" might be more useful for you instead. If ssh is forwarded at the firewall to any machine, there will always be brute force attacks against ssh trying to login as root or a system user.
I read a book by Kevin Mitnick. It had a number of hackers case studies. In one instance, a console cable was use to connect two devices together, and the tech forgot to remove it. This allowed a hacker to bypass the security at the gateway. In another, a hacker got in through a telco computer to a laptop in a delivery van using pcanywhere and was able to inject a backdoor in the few minutes that the laptop was used by the delivery guy. Some of the stories may be exaggerated, but you may want to avoid a "walnut" network. Hard to crack on the outside. Soft and Meaty on the inside. A common problem in many of the cases was the bosses laptop not having a good password, and containing a password file that could be cracked over time offline.
Distribution: Ubuntu 7.04, LFS 6.3 rc1 (living dangerously ;), Windows XP
Posts: 75
Original Poster
Rep:
Hmm, food for thought...
Well, in the end i just decided to nuke ~/.ssh/known_hosts, and symlink it to /dev/null. Now, it just warns me that it's adding it to the list of known hosts every time i connect to either OS.
On the topic of security-
Both computers access the internet (albeit through a router), and both have windows installs that are used quite reguarly. Taking this into account, i guess it wouldn't be wise to not give any thought to security, but i'm not paranoid...
At the moment, i guess someone within wireless range on my network could do something nasty with man-in-the-middle because now i don't check the host's RSA key, but meh, i trust my neighbours.
As ssh access into my network is blocked by the router, i can't see any danger of being exploited remotely. However, feel free to correct me here, i'm not adamant about this.
To conclude, thanks for the solution jschiwal, and thanks for the security discussion Linuxquestions.org
It is certainly wise to practice good system security at all times, but on the other hand; if it is a completely private system, you can really do whatever you want.
I have a machine in my network that has no password for the root account, because it never connects to the Internet and is simply a machine I compile software on. I would certainly never set something like that up on a machine with access to the Internet, but for my current purposes, it works out fine.
That's a very common line, and while you can do anything with any machine you have high enough access to, it's just not wise. I could think of a few ways of implementing alien code to programs compiled on a nonsecure machine, and I doubt you don't read every line of the code every time you compile the things, so it just might go unnoticed sometimes. The only secure machine is a machine that doesn't exist; if a machine is powered on, it's got potential security holes in it. While that is often not important, especially on "safe two-machine local area networks administred by me", and I don't mean any offence, I just like to have everything rather secured than not; I've noticed that being lazy securing something leads, at some point, to being lazy securing something else.
Of course it's everybody's own business if they have passwords or not, if they do authentication or not, use firewalls or not, or think about what their machine is doing when it seems it's not. It's just that most of the trouble of today, like spam, viruses, trojans, worms and other "malware" spreading (or crackers getting your bank information), is caused by lazy people not caring about security enough; it's more about attitude than money or technics.
Some people think they can move a car to the other side of the street without using safety belts, "it's just 20m distance, big deal, I'm moving slower than walking speed so it can't be lethal", and some unlucky ones get killed because a truck just happened to pop up in the wrong place, wrong time, wrong speed. It isn't always just about what we do ourselves.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.