...of course, that secure needs to be secure to prevent our hypothetical man-in-the-middle from just using the same host key as the system it's trying to spoof.
Hey, security is hard! :) On Thu, Sep 23, 2010 at 2:08 PM, Charles Duffy <char...@dyfis.net> wrote: > A better solution would be to have a central store for your SSH keys, such > that the hosts retrieve and reuse their old ones when the operating system > is reinstalled; blindly accepting new keys as valid means that the mechanism > provides no protection at all to man-in-the-middle attacks. > > > On Thu, Sep 23, 2010 at 12:35 PM, Dominic Curran < > dominic.cur...@citrix.com> wrote: > >> Hi >> >> I have found Paramiko to be an excellent library, very useful. Thanks. >> >> One question: >> I use it in an environment where OS's are frequently reinstalled (thus >> renewing their SSH keys). >> >> Thus when I connect using Paramiko I get frequent >> 'AuthenticationExceptions'. >> >> i.e. the key in .ssh/known_hosts is no longer valid. >> >> $ ssh r...@knockout >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle >> attack)! >> It is also possible that the RSA host key has just been changed. >> The fingerprint for the RSA key sent by the remote host is >> cf:70:9a:24:9b:80:cf:2c:0f:0e:f1:31:a0:e8:35:6d. >> Please contact your system administrator. >> Add correct host key in /home/user/.ssh/known_hosts to get rid of this >> message. >> Offending key in /home/user/.ssh/known_hosts:42 >> RSA host key for knockout has changed and you have requested strict >> checking. >> Host key verification failed. >> >> Is there anyway in Paramiko to deal with this automatically ? >> i.e. get ride of the old key and accept the new ? >> My code look like this: >> >> ssh = paramiko.SSHClient() >> ssh.load_system_host_keys() >> ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy) >> ssh.connect(host, username=user, password=PWD, timeout=5, >> look_for_keys=0) >> stdin, stdout, stderr = ssh.exec_command(cmd) >> var = stdout.readlines() >> ssh.close() >> >> Thanks >> dom >> >> _______________________________________________ >> paramiko mailing list >> paramiko@lag.net >> http://www.lag.net/cgi-bin/mailman/listinfo/paramiko >> > >
_______________________________________________ paramiko mailing list paramiko@lag.net http://www.lag.net/cgi-bin/mailman/listinfo/paramiko