With SSH host authentication, the ssh server has the private key and you need to get the matching public key into your known_hosts or /etc/ssh/ssh_known_hosts
The ssh-keyscan returns the public key(s). This public key should be obtained or verified independently on untrusted networks. Once you have it, a Man-In-The-Middle attack would be detected. You can also have ssh display the "ascii art" fingerprint of public key(s) for visual verification: ssh-keygen -lv -f ~/.ssh/known_hosts ... 2048 3b:87:95:6d:74:84:4f:d4:8e:bd:63:65:b1:5b:8e:74 [localhost]:6622 (RSA) +--[ RSA 2048]----+ | oo. | | .....| | .o.+o| | + .+.E| | S o o. ==| | + . .=.| | + . . .| | o | | | +-----------------+ Some sites will have administrators maintain a master list of their server public keys and then distribute these to all nodes in the network. OpenSSH also has support for putting the public key in "SSHFP" records, but this requires DNSSEC, and the necessary support is not yet in IBM z/OS OpenSSH. Finally, OpenSSH on z/OS supports Kerberos (Windows Active Directory) authentication, which with supporting partners will handle both user and host authentication and eliminates both SSH host and user keys. https://dovetail.com/docs/ssh/kerberos_sso.pdf Kirk Wolf Dovetailed Technologies http://dovetail.com On Mon, Jan 30, 2017 at 9:16 AM, Paul Gilmartin < [email protected]> wrote: > On Mon, 30 Jan 2017 09:01:03 -0600, Kirk Wolf wrote: > > >Host keys, user keys, and authentication is done by IBM OpenSSH. > > > >The ssh-keyscan command (part of OpenSSH) can be used to get public keys > >from one or more hosts > > > >For example, since it appears that Venkat's are corrupted: > > > >cd ~/.ssh > >mv known_hosts known_hosts_corrupted > >ssh-keyscan host1.com host2.com host3.com > known_hosts > > > Is that asking those hosts to provide, without authentication, the > keys to be used in the future for authentication? > > I suppose that somtimes ya gotta just trust somebody. > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
