Re: Can we have better ssh fingerprint collision messages?
On Wed, Nov 13, 2013 at 7:29 PM, Przemek Klosowski przemek.klosow...@nist.gov wrote: On 11/12/2013 07:47 AM, Miroslav Suchý wrote: 2) if you know that some machines change fingerprint and you *trust it* you can do: ~/.ssh/config: Host 192.168.1.1 UserKnownHostsFile /dev/null It always bugged me that the choice was to either disable or manually edit an obscure file, so I was happy to find that you can delete stale entries from commandline: ssh-keygen -R hostname Admittedly, this is pretty obscure and I think it would be a better idea if SSH directly allowed an override, perhaps like this: @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@ @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7. If you think it's safe to override this check, you can connect this time [o] or delete the current host key before connecting [O]: Yes! This kind of solution would be awesome, any admin who encounters this more than two times per week (as I do) would love to have an override. I know where I'm connecting to, and if it is a server then it should NEVER change, but I'm also connecting to OpenWrt based devices (internet of things and similar devices) who get updated firmwares every so ofter, and upon booting up first time with new firmware generate new ssh keys. I would love to see this, or at least if somebody knows how can I setup this for myself, this would make me switch back to Fedora as my main admin machine... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On 11/12/2013 07:47 AM, Miroslav Suchý wrote: 2) if you know that some machines change fingerprint and you *trust it* you can do: ~/.ssh/config: Host 192.168.1.1 UserKnownHostsFile /dev/null It always bugged me that the choice was to either disable or manually edit an obscure file, so I was happy to find that you can delete stale entries from commandline: ssh-keygen -R hostname Admittedly, this is pretty obscure and I think it would be a better idea if SSH directly allowed an override, perhaps like this: @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7. If you think it's safe to override this check, you can connect this time [o] or delete the current host key before connecting [O]: -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On Wed, Nov 13, 2013 at 01:29:34PM -0500, Przemek Klosowski wrote: On 11/12/2013 07:47 AM, Miroslav Suchý wrote: 2) if you know that some machines change fingerprint and you *trust it* you can do: ~/.ssh/config: Host 192.168.1.1 UserKnownHostsFile /dev/null It always bugged me that the choice was to either disable or manually edit an obscure file, so I was happy to find that you can delete stale entries from commandline: ssh-keygen -R hostname I work on some lab systems that get kickstarted frequently and thus change ssh keys quite often, so I wrote the script below to update my known_hosts file with the new key. Note that I use the format hostname,ip-address so that I don't get two entries in my known_hosts file (which causes its own set of problems if the system gets a new IP address due to DHCP changes). ~~~ #!/bin/sh KNOWN_HOSTS=~/.ssh/known_hosts NEW_HOST=$1 IP_ADDR=$(host $NEW_HOST | awk '/has address/{print $NF}') if ! grep -q $NEW_HOST $KNOWN_HOSTS ; then echo Could not find $NEW_HOST in $KNOWN_HOSTS exit fi ssh-keygen -R $NEW_HOST [ -n $IP_ADDR ] NEW_HOST=$NEW_HOST,$IP_ADDR ssh-keyscan $NEW_HOST $KNOWN_HOSTS ~~~ Jeff -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On 13.11.2013 22:19, Jeffrey Bastian wrote: On Wed, Nov 13, 2013 at 01:29:34PM -0500, Przemek Klosowski wrote: On 11/12/2013 07:47 AM, Miroslav Suchý wrote: 2) if you know that some machines change fingerprint and you *trust it* you can do: ~/.ssh/config: Host 192.168.1.1 UserKnownHostsFile /dev/null It always bugged me that the choice was to either disable or manually edit an obscure file, so I was happy to find that you can delete stale entries from commandline: ssh-keygen -R hostname I work on some lab systems that get kickstarted frequently and thus change ssh keys quite often, so I wrote the script below to update my known_hosts file with the new key. Note that I use the format hostname,ip-address so that I don't get two entries in my known_hosts file (which causes its own set of problems if the system gets a new IP address due to DHCP changes). ~~~ #!/bin/sh KNOWN_HOSTS=~/.ssh/known_hosts NEW_HOST=$1 IP_ADDR=$(host $NEW_HOST | awk '/has address/{print $NF}') if ! grep -q $NEW_HOST $KNOWN_HOSTS ; then echo Could not find $NEW_HOST in $KNOWN_HOSTS exit fi ssh-keygen -R $NEW_HOST [ -n $IP_ADDR ] NEW_HOST=$NEW_HOST,$IP_ADDR ssh-keyscan $NEW_HOST $KNOWN_HOSTS ~~~ Jeff You can also manage host keys and fingerprints using FreeIPA. known_hosts file is managed for all machines added to directory. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/host-keys.html Mateusz Marzantowicz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Quoting valent.turko...@gmail.com (2013-11-12 08:42:06) I work a lot with different kind of routers, openwrt and other embedded systems, and they all usually use same address - 192.168.1.1, so Ubuntu message is quite useful because gives me simple command that I just copy/paste so I can get rid of old finderprint and I can connect to new device with same IP but obviously different ssh fingerprint. 1. Don't top-post 2. I hope I'll never be at mercy of administrators like you who copy-paste commands because that's what they are told to. 3. The message appears whenever there is a change in ssh host key for given address. On Fedora as well. If you can't reproduce, you didn't change the host key or you are really connecting to a different host -- Stanislav Ochotnicky sochotni...@redhat.com Software Engineer - Developer Experience PGP: 7B087241 Red Hat Inc. http://cz.redhat.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On Tue, Nov 12, 2013 at 08:42:06AM +0100, valent.turko...@gmail.com wrote: I work a lot with different kind of routers, openwrt and other embedded systems, and they all usually use same address - 192.168.1.1, so Ubuntu message is quite useful because gives me simple command that I just copy/paste so I can get rid of old finderprint and I can connect to new device with same IP but obviously different ssh fingerprint. I see the message on Fedora that you say only occurs only on Ubuntu. Can you show the precise output you see on your Fedora machine when there is a key mismatch? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Am 12.11.2013 03:11, schrieb Chris Adams: Once upon a time, Reindl Harald h.rei...@thelounge.net said: these lines are not written by hand and i replaced the key from AAA to == of the first one with the key off a completly different host in the file resulting in the message i posted by ssh harry@srv-rhsoft Replacing characters is making entries by hand. Replacing the first characters with == creates an invalid key (it is base64 encoded which cannot have = characters except at the end for padding as needed); it could be OpenSSH ignores invalid lines (I don't know). jesus christ *from* AAA *to* == means *the whole valid key* because quote two complete keys is a little bit long so what is there invalid If there is no match to the host, you get the output you described; if there is a match but the key is different, you get the original poster's desired output. This is standard (and I believe non-configurable) OpenSSH behavior going back to the beginning (and IIRC to the original SSH code before OpenSSH started) and as i have proven this is *not true* in all situations - period That is incorrect. The way to prove it is to connect to a host, change its host key (easiest way is to move /etc/ssh/*key* aside and restart sshd), and connect again. you ssh command must have some magic that it can distinct if the server changed it's key or the one in known_hosts Otherwise, show a case that didn't involve editing the known_hosts file. The OpenSSH code only works one way and now you can explain me where is the difference in the key on the server has changed and having a different but valid key than the servers one on known_hosts signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On 12 November 2013 09:40, Reindl Harald h.rei...@thelounge.net wrote: jesus christ *from* AAA *to* == means *the whole valid key* because quote two complete keys is a little bit long so what is there invalid Reindl please calm down ... step away from the keyboard then come back in fresh temperament. If you re-read your original message it is somewhat ambiguous as it can easily be read (and indeed I first read it as) that you changed AAA to == ... ie just those characters. you ssh command must have some magic that it can distinct if the server changed it's key or the one in known_hosts Did you edit the key for both the IP address and the hostname in known_hosts? It's feasible that if you only changed the hostname and not the IP based one behaviour would be different. Indeed if I just ssh-keygen -R fqdn and then ssh to a box after the key has changed there will be similar complaints as it verifies on the latter too. and now you can explain me where is the difference in the key on the server has changed and having a different but valid key than the servers one on known_hosts It can't... but you have to be sure you have edited any entries that may apply and that it is absolutely correct on the change ... frankly it's quicker and simpler to test via changing the target host's key rather than your known_hosts. James -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On Tue, Nov 12, 2013 at 12:31:04PM +0100, Reindl Harald wrote: It can't... but you have to be sure you have edited any entries that may apply and that it is absolutely correct on the change ... frankly it's quicker and simpler to test via changing the target host's key rather than your known_hosts and that this is needed shows IMHO a bug because it should in all cases give out the same warning message Harald, I'm not seeing the behavior you see either -- if I replace a host key with another one in known_hosts, I get the correct man-in-the-middle message. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ mat...@fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Am 12.11.2013 13:21, schrieb Matthew Miller: On Tue, Nov 12, 2013 at 12:31:04PM +0100, Reindl Harald wrote: It can't... but you have to be sure you have edited any entries that may apply and that it is absolutely correct on the change ... frankly it's quicker and simpler to test via changing the target host's key rather than your known_hosts and that this is needed shows IMHO a bug because it should in all cases give out the same warning message Harald, I'm not seeing the behavior you see either -- if I replace a host key with another one in known_hosts, I get the correct man-in-the-middle message interesting, i can reproduce this as often i want in case i am doing it in the first one for the short hostname only and leave the entry with the FQ and IP-address untouched openssh-clients-6.2p2-5.fc19.x86_64 signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On Út, 2013-11-12 at 07:21 -0500, Matthew Miller wrote: On Tue, Nov 12, 2013 at 12:31:04PM +0100, Reindl Harald wrote: It can't... but you have to be sure you have edited any entries that may apply and that it is absolutely correct on the change ... frankly it's quicker and simpler to test via changing the target host's key rather than your known_hosts and that this is needed shows IMHO a bug because it should in all cases give out the same warning message Harald, I'm not seeing the behavior you see either -- if I replace a host key with another one in known_hosts, I get the correct man-in-the-middle message. Exactly, I verified that too. But I actually first made a mistake by deleting the 'ssh-rsa' and not copying it from the other host entry which made the line invalid and the message was the same as for first contact with the server. So I wonder if Harald did the same mistake. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On 11/12/2013 08:42 AM, valent.turko...@gmail.com wrote: I work a lot with different kind of routers, openwrt and other embedded systems, and they all usually use same address - 192.168.1.1, so Ubuntu message is quite useful because gives me simple command that I just copy/paste so I can get rid of old finderprint and I can connect to new device with same IP but obviously different ssh fingerprint. 1) I get same message on Fedora. Not sure how you think that Ubuntu differs. 2) if you know that some machines change fingerprint and you *trust it* you can do: ~/.ssh/config: Host 192.168.1.1 UserKnownHostsFile /dev/null -- Miroslav Suchy, RHCE, RHCDS Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Am 12.11.2013 13:26, schrieb Tomas Mraz: On Út, 2013-11-12 at 07:21 -0500, Matthew Miller wrote: On Tue, Nov 12, 2013 at 12:31:04PM +0100, Reindl Harald wrote: It can't... but you have to be sure you have edited any entries that may apply and that it is absolutely correct on the change ... frankly it's quicker and simpler to test via changing the target host's key rather than your known_hosts and that this is needed shows IMHO a bug because it should in all cases give out the same warning message Harald, I'm not seeing the behavior you see either -- if I replace a host key with another one in known_hosts, I get the correct man-in-the-middle message. Exactly, I verified that too. But I actually first made a mistake by deleting the 'ssh-rsa' and not copying it from the other host entry which made the line invalid and the message was the same as for first contact with the server. So I wonder if Harald did the same mistake see below the difference in known_hosts, the third line with the used hostname [harry@rh:~/.ssh]$ ssh harry@srv-rhsoft The authenticity of host '[srv-rhsoft]:22 ([62.178.102.6]:22)' can't be established. RSA key fingerprint is 4d:64:fa:f7:78:ac:f2:2d:59:4d:59:35:5d:a2:ca:70. Are you sure you want to continue connecting (yes/no)? _ before: local ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== local.rhsoft.net ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== srv-rhsoft ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== srv-rhsoft.rhsoft.net ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== ns3 ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== ns3.rhsoft.net ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== 62.178.102.6 ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== _ now: local ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== local.rhsoft.net ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== srv-rhsoft ssh-rsa
Re: Can we have better ssh fingerprint collision messages?
On Tue, Nov 12, 2013 at 01:24:16PM +0100, Reindl Harald wrote: Am 12.11.2013 13:21, schrieb Matthew Miller: Harald, I'm not seeing the behavior you see either -- if I replace a host key with another one in known_hosts, I get the correct man-in-the-middle message interesting, i can reproduce this as often i want in case i am doing it in the first one for the short hostname only and leave the entry with the FQ and IP-address untouched Yeah, sure. That's the standard SSH behaviour. As far as it is concerned those are different hosts. If one wants to change that OpenSSH upstream would be the appropriate place to do that. I don't think such modifications should be made in distribution packages. Especially not without even trying to get upstream feedback on the issue. Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Can we have better ssh fingerprint collision messages?
I really enjoy working with ssh on Ubuntu just for this simple reason, they have user friendly ssh fingerprint collision messages: $ ssh root@192.168.1.1 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is c0:3b:b2:60:a6:e2:5e:97:aa:ae:ec:d2:ca:ba:27:1b. Please contact your system administrator. Add correct host key in /home/valent/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/valent/.ssh/known_hosts:8 I really miss this feature when I return back to Fedora. How hard would be to make this behavior default for Fedora also? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
On Mon, Nov 11, 2013 at 11:11:57PM +0100, Reindl Harald wrote: Am 11.11.2013 23:05, schrieb Bruno Wolff III: On Mon, Nov 11, 2013 at 23:03:04 +0100, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I really enjoy working with ssh on Ubuntu just for this simple reason, they have user friendly ssh fingerprint collision messages: I get these messages when I change host keys no you do not, you get this one The authenticity of host '[srv-rhsoft]:22 ([192.168.2.2]:22)' can't be established. RSA key fingerprint is 4d:64:fa:f7:78:ac:f2:2d:59:4d:59:35:5d:a2:ca:70. Are you sure you want to continue connecting (yes/no)? I don't think so. That's the one I get when there is no host key yet associated with a host. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Am 11.11.2013 23:15, schrieb Richard W.M. Jones: On Mon, Nov 11, 2013 at 11:11:57PM +0100, Reindl Harald wrote: Am 11.11.2013 23:05, schrieb Bruno Wolff III: On Mon, Nov 11, 2013 at 23:03:04 +0100, valent.turko...@gmail.com valent.turko...@gmail.com wrote: I really enjoy working with ssh on Ubuntu just for this simple reason, they have user friendly ssh fingerprint collision messages: I get these messages when I change host keys no you do not, you get this one The authenticity of host '[srv-rhsoft]:22 ([192.168.2.2]:22)' can't be established. RSA key fingerprint is 4d:64:fa:f7:78:ac:f2:2d:59:4d:59:35:5d:a2:ca:70. Are you sure you want to continue connecting (yes/no)? I don't think so. That's the one I get when there is no host key yet associated with a host no - i simply took the host-key of another machine in my known_hosts file pressed save and tried to connect to the host, maybe this happens because there are more than one lines for each host (IP, only local part, FQ) but that is in fact what you get signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Once upon a time, Reindl Harald h.rei...@thelounge.net said: no - i simply took the host-key of another machine in my known_hosts file pressed save and tried to connect to the host, maybe this happens because there are more than one lines for each host (IP, only local part, FQ) but that is in fact what you get If you didn't change it to match exactly what you attempted to connect to (e.g. if you made an entry for foo.mydomain.com and then just did ssh foo), the line is not matched. If you manually make multiple lines with the same host, I'm not sure what OpenSSH does (because it doesn't create such entries); it may only care about the first match. If there is no match to the host, you get the output you described; if there is a match but the key is different, you get the original poster's desired output. This is standard (and I believe non-configurable) OpenSSH behavior going back to the beginning (and IIRC to the original SSH code before OpenSSH started). -- Chris Adams li...@cmadams.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Am 11.11.2013 23:24, schrieb Chris Adams: Once upon a time, Reindl Harald h.rei...@thelounge.net said: no - i simply took the host-key of another machine in my known_hosts file pressed save and tried to connect to the host, maybe this happens because there are more than one lines for each host (IP, only local part, FQ) but that is in fact what you get If you didn't change it to match exactly what you attempted to connect to (e.g. if you made an entry for foo.mydomain.com and then just did ssh foo), the line is not matched. If you manually make multiple lines with the same host, I'm not sure what OpenSSH does (because it doesn't create such entries); it may only care about the first match. boah *it does* if you connect one time to the local-part only because a DNS suffix and one time to the FQ host these lines are not written by hand and i replaced the key from AAA to == of the first one with the key off a completly different host in the file resulting in the message i posted by ssh harry@srv-rhsoft srv-rhsoft ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== srv-rhsoft.rhsoft.net ssh-rsa B3NzaC1yc2EBIwAAAQEAzTBd2hor7lh2ien9j9ghkrqNGIh0t3AbUfwlABMnHIcSA9CATSctmwfHWkjob9CLCYIVF38hQPAbvSV9WyNu2BGHzuiXPPnvIxM06U4ot6Xs8B0Wcj3MtrBzbMCcl1b6tVNREPSwxDiUiDdmWgQpkbFIr+qX/D7CrJLfc5ON/VF/ZSe46hJw8YUoDa19hCXfZe0P4UK9iXLfhrjPKMl+x6/2F/CKwmtAdCXpWd1D3M/fozTSjiG2BBszWTZFCDKdtBOhB2tpndyzatkpFR6Ik7JR5/YzwZghayWs9PZyOb7M4RHnPAzZX0yy9lrHyi+///VKSyxv2xUxXXGc6AiBhw== If there is no match to the host, you get the output you described; if there is a match but the key is different, you get the original poster's desired output. This is standard (and I believe non-configurable) OpenSSH behavior going back to the beginning (and IIRC to the original SSH code before OpenSSH started) and as i have proven this is *not true* in all situations - period signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
valent.turko...@gmail.com valent.turko...@gmail.com wrote: I really enjoy working with ssh on Ubuntu just for this simple reason, they have user friendly ssh fingerprint collision messages: $ ssh root@192.168.1.1 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is c0:3b:b2:60:a6:e2:5e:97:aa:ae:ec:d2:ca:ba:27:1b. Please contact your system administrator. Add correct host key in /home/valent/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/valent/.ssh/known_hosts:8 I really miss this feature when I return back to Fedora. How hard would be to make this behavior default for Fedora also? I see the message with Fedora. David -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
Once upon a time, Reindl Harald h.rei...@thelounge.net said: these lines are not written by hand and i replaced the key from AAA to == of the first one with the key off a completly different host in the file resulting in the message i posted by ssh harry@srv-rhsoft Replacing characters is making entries by hand. Replacing the first characters with == creates an invalid key (it is base64 encoded which cannot have = characters except at the end for padding as needed); it could be OpenSSH ignores invalid lines (I don't know). If there is no match to the host, you get the output you described; if there is a match but the key is different, you get the original poster's desired output. This is standard (and I believe non-configurable) OpenSSH behavior going back to the beginning (and IIRC to the original SSH code before OpenSSH started) and as i have proven this is *not true* in all situations - period That is incorrect. The way to prove it is to connect to a host, change its host key (easiest way is to move /etc/ssh/*key* aside and restart sshd), and connect again. Otherwise, show a case that didn't involve editing the known_hosts file. The OpenSSH code only works one way. -- Chris Adams li...@cmadams.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Can we have better ssh fingerprint collision messages?
I work a lot with different kind of routers, openwrt and other embedded systems, and they all usually use same address - 192.168.1.1, so Ubuntu message is quite useful because gives me simple command that I just copy/paste so I can get rid of old finderprint and I can connect to new device with same IP but obviously different ssh fingerprint. On Mon, Nov 11, 2013 at 11:38 PM, David Howells dhowe...@redhat.com wrote: valent.turko...@gmail.com valent.turko...@gmail.com wrote: I really enjoy working with ssh on Ubuntu just for this simple reason, they have user friendly ssh fingerprint collision messages: $ ssh root@192.168.1.1 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is c0:3b:b2:60:a6:e2:5e:97:aa:ae:ec:d2:ca:ba:27:1b. Please contact your system administrator. Add correct host key in /home/valent/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/valent/.ssh/known_hosts:8 I really miss this feature when I return back to Fedora. How hard would be to make this behavior default for Fedora also? I see the message with Fedora. David -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- follow me - www.twitter.com/valentt http://kernelreloaded.blog385.com linux, anime, spirituality, wireless, scuba, linuxmce smart home, zwave ICQ: 2125241, Skype: valent.turkovic, MSN: valent.turko...@hotmail.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct