Salut,
StrictHostKeyChecking e sugerat pe multe forumuri - am incercat deja
si nu a functionat (aceeasi eroare). Am descoperit ca il pot pacali cu
"GlobalKnownHostsFile=/dev/null" - dupa aia intr-adevar ma intreaba daca
accept cheia noua. Daca zic "da" o importa cuminte in ~/.ssh/known_hosts
si mai departe e multumit. La urmatoarea conectare nu mai e nevoie de
nici o optiune exotica.
Mihai
On 11/11/19 1:34 PM, Marius Luca wrote:
Pentru mine, la un moment dat, n-a mai mers (dupa niste ani) corkscrew si
am trecut pe httptunnel.
Legat de neclaritatea de mai sus: probabil te intreaba interactiv cum sa
tratezi cheia ssh necunoscuta a serverului (cu accentul pe "interactiv") -
ergo, crapa.
Rezolvarea e :
StrictHostKeyChecking=accept-new // de preferat
StrictHostKeyChecking=no // trade-off pe security
--
Have a nice one,
Marius Luca
On Fri, Nov 8, 2019 at 3:41 PM Mihai Osian <[email protected]> wrote:
Hmm, tot nu mi-e foarte clar ce se intampla, dar problema se rezolva daca
adaug manual cheia serverului meu la .ssh/known_hosts
cat ~/.ssh/known_hosts
server.acasa.com ecdsa-sha2-nistp256 AAAAE2V[...]
ssh user@*www*.acasa.com -o [...]
==> REMOTE HOST IDENTIFICATION HAS CHANGED
ssh user@*server*.acasa.com -o [...]
==> ok
Aparent daca nu gaseste o cheie explicita atunci face pattern-matching la
domeniul/ip-ul care corespunde proxy-ului (in /etc/ssh/known_hosts).
Mihai
On Wed, Nov 6, 2019 at 3:55 PM Mihai Osian <[email protected]> wrote:
Salut,
La locul meu de munca se foloseste un HTTP proxy pentru conexiunile
catre
exterior. In browser proxy-ul e configurat automat si arata ceva de genul
http://pac.companyproxy.com:9512/proxy.pac
Ambitia mea este sa ma conectez cu ssh la calculatorul de acasa. Citind
howto-uri am ajuns la urmatoarea formula:
ssh [email protected] -o "ProxyCommand ~/bin/corkscrew pac.companyproxy.com
9512 www.acasa.com 22 ~/.ssh/auth"
Acest "corkscrew" e un mic programel care se conecteaza la proxy folosind
HTTP si trimite username+parola pentru autentificare (specificate in
~/.ssh/auth sau intr-o variabila de mediu). Ruland linia de mai sus obtin
asa:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
Please contact your system administrator.
Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of
this
message.
Offending RSA key in /etc/ssh/ssh_known_hosts:627
RSA host key for <acasa> has changed and you have requested strict
checking.
Host key verification failed.
Linia 627 din /etc/ssh/ssh_known_hosts arata asa:
mih@dhws039: sed '627!d' /etc/ssh/ssh_known_hosts
*,<proxy_ip_prefix>.* ssh-rsa AAAAB3Nza[...]
Daca rulez ssh cu "-vv" vad asa:
ssh -vv [email protected] -o "ProxyCommand ~/bin/corkscrew
pac.companyproxy.com 9512 www.acasa.com 22 ~/.ssh/auth"
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /auto/home/mih/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Executing proxy command: exec /auto/home/mih/bin/corkscrew
pac.<proxy>.com 9512 <acasa> 22 /auto/home/mih/.ssh/auth
debug1: permanently_drop_suid: 10336
debug1: identity file /auto/home/mih/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
[...]
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
*debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420debug1: match:
OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH_6.6.1* compat
0x04000000*
debug1: Authenticating to acasa:22 as 'mike'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: [email protected] MAC:
<implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC:
<implicit> compression: none
debug1: kex: [email protected] need=64 dh_need=64
debug1: kex: [email protected] need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
Please contact your system administrator.
Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of
this
message.
Offending RSA key in /etc/ssh/ssh_known_hosts:627
RSA host key for erebus has changed and you have requested strict
checking.
Host key verification failed.
mih@dhws039:
Linia subliniata mai sus ("*OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420") *e
serverul de acasa, deci ajunge pana acolo, dar apoi o ia razna. De
asemenea, rulat singur din linia de comanda programelul corkscrew isi
face
treaba:
mih@dhws039: /auto/home/mih/bin/corkscrew <proxy> 9512 <acasa> 22
/auto/home/mih/.ssh/auth
SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
Poate cineva sa ma lamureasca ce se intampla ? Cum isi obtine ssh-ul
cheile de server, si de ce ajunge sa le confunde cu alea de la proxy ?
Mihai
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
