LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-14-2018, 01:32 PM   #1
upnort
Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu MATE
Posts: 776

Rep: Reputation: Disabled
SSH fingerprint changed by router NAT tables?


I am trying to understand how a router NAT table modification might affect an SSH fingerprint.

The router is an infrastructure grade Mikrotik CCR1016-12G. I share that info only to emphasize that this is not a home network with a consumer router.

The affected server is a CentOS 7 container running on a Proxmox host. The container is on subnet X.X.91.0/24.

The IP address of the container server was not changed.

Monday I successfully logged into the container server using SSH.

Yesterday the NAT tables were changed on the router for that same 91 subnet.

Today, Wednesday, when I attempted to SSH into the affected server I received the standard SSH warning that the host key had changed. A direct login on that server showed that no keys were modified. Backups confirmed no such changes.

The only change in between the two SSH logins was the NAT tables on the router.

How does a NAT table change affect an SSH fingerprint?

Thanks much.

Mods: move this to the networking forum if appropriate.
 
Old 11-14-2018, 01:40 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,555
Blog Entries: 15

Rep: Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494
In the known_hosts file under ~<user>/.ssh it includes the name and/or IP along with the key. If the NAT changed the IP the target user sees the originating user coming from it may be that which caused it to see the change.
 
Old 11-14-2018, 02:45 PM   #3
upnort
Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu MATE
Posts: 776

Original Poster
Rep: Reputation: Disabled
I understand the known_hosts file entries. The puzzle here is the IP address and hostname have not changed. At least not in an obvious way. That is, I am still trying to SSH into X.X.91.X using the same hostname. Yet SSH says the fingerprint is different. I do not believe there is a true MIM attack, especially when I know about the NAT table changes. I just don't understand how the NAT table changes alters the fingerprint.
 
Old 11-14-2018, 02:53 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,230

Rep: Reputation: 701Reputation: 701Reputation: 701Reputation: 701Reputation: 701Reputation: 701Reputation: 701
What MensaWater is saying is that if the IP or hostname of the local server has changed, or appears to have changed to the remote server, then the fingerprint needs to be re-established.
 
1 members found this post helpful.
Old 11-15-2018, 09:38 AM   #5
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,555
Blog Entries: 15

Rep: Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494Reputation: 1494
NAT = Network Address Translation

That means when it sees the traffic come in on one address it can change it to show it came in on a different address. That original "different" address may be what your target user's known_hosts file stored as IP rather than the actual IP of the source machine. You said the NAT changed so that made me suspect the "different" address seen by the target user now that doesn't match what it used to be.

You can view the target's known_host file to see what it expects. You can delete the old entry from known_hosts on the target user so it just prompts you to accept a new fingerprint when you next attach from the source.
 
Old 11-15-2018, 03:23 PM   #6
upnort
Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu MATE
Posts: 776

Original Poster
Rep: Reputation: Disabled
Ha. This turned out to be a classic red herring, where one issue masked another.

There was indeed some NAT table updates to the router. In hindsight the NAT changes were unrelated. Only that at the time, those NAT changes were the only obvious change that coincided with the server access failure.

The true problem happened earlier in the day. The IP address for the problematic server had been inadvertently added to the router's IP address list (on a Mikrotik RouterOS: IP->Addresses). Basically, the IP address assigned to the server was then owned by the router. Any attempt to remotely access the server was actually going to the router.

I discovered this by looking at the router log. I noticed a bunch of login attempts with date stamps coinciding with when I tried to SSH into the server. Removing the inadvertent addition resolved the issue.

The actual root cause was an IP address reassignment that, with respect to the overall time line, seemed related to the NAT table additions but actually wasn't.

The inadvertent addition was nothing more than an honest boo-boo -- filed under "lessons learned" by those involved.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fingerprint-gui "Could not open fingerprint device" exactiv Linux - Security 4 12-15-2015 05:50 PM
NAT and NAT Server behind its own NAT(private network) zeusys Linux - Networking 1 06-08-2011 07:22 PM
fingerprint match against collection of previos fingerprint mukesh.methaniya Linux - Software 0 05-22-2011 03:31 AM
LXer: Tables of Contents, Indexes and Other Special Tables in Scribus LXer Syndicated Linux News 0 05-13-2011 06:30 AM
SSH RSA key fingerprint with network Ephracis Linux - Security 19 02-26-2008 07:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration