Re: Changes in sshd?
On Sun, Feb 23, 2003 at 07:23:57PM -0500, John Straiton wrote: Greets, I have many times set up the authorized_keys so that remote ssh/scp/rsync clients can connect between machines without a password. However, in attempting to do this again using a 5.0-RELEASE machine trying to connect to a 4.7 machine, I'm getting nothing but: %ssh 192.168.0.23 Host key verification failed. This was all working last week, then I reinstalled my 4.X machine to this 5.0 and went through the routine to recreate an identity.pub and copy it to the remote machine. Now it just won't work. My guess is that when you did your re-install you didn't backup and restore the host keys for your machine. That means that all of the accounts on systems you've been connecting to will have the old host keys in the ${HOME}/.ssh/known_hosts files. That leads the ssh servers on those machines to believe that your newly installed 5.0 server is actually some sort of impostor, hence they refuse access. The fix is easy, if tedious: edit all of the known_hosts files and delete the lines referencing that particular server, either by name or by IP number. The known_hosts data will be rebuilt as people connect to and fro during their normal usage, although it may cause automated jobs to fail untill you can pre-load the known_hosts with the right stuff. See ssh-keyscan(1) for away of doing that. I noticed that ssh-keygen worked slightly differently in 5.0 ..Did something change with it's default behavior that I need to take into account in order to talk to a 4.7 machine? Yes --- that's due to the import of OpenSSH 3.x into the tree, which supports the SSHv2 protocol and some new key types. I notice above that you're talking about 'identity.pub' which indicates you're probably using the old RSA1 key type and hence the SSHv1 protocol. If you can, you would be well advised to switch to SSHv2 which is rather more secure, and supported pretty much everywhere now. It seems that the best key type to use is RSA which implies default key file names of 'id_rsa' and 'id_rsa.pub'. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Changes in sshd?
Thanks for all the info! Regretibly, I'm still having problems... My guess is that when you did your re-install you didn't backup and restore the host keys for your machine. That means that all of the accounts on systems you've been connecting to will have the old host keys in the ${HOME}/.ssh/known_hosts files. That leads the ssh servers on those machines to believe that your newly installed 5.0 server is actually some sort of impostor, hence they refuse access. The client was the only one reinstalled, the server was untouched until I sent up a new identity.pub. Because I did not restore any .ssh/ files, there is no known_hosts file. I have confirmed this via: #find / -name known_hosts -print While being su'ed to root. Now, this got me to thinking that maybe it wouldn't auto-connect 'cause there was no known_hosts file... So I removed the authorized_keys from the server and tried to connect in hopes to create the known_hosts file but I still got the same error: Host key verification failed. The only known_hosts file that exists on the machine is in /root/.ssh/known_hosts which does not have a problem connecting. So I figured rather than properly diagnose this, I'd make it work again since I'm starting to run against time constraints...too bad it didn't work: # cp /root/.ssh/known_hosts /home/myuser/.ssh/ # su myuser %ssh xxx.xxx.xx.xx Permission denied, please try again. Permission denied, please try again. Received disconnect from xxx.xxx.xx.xx: 2: Too many authentication failures for myuser %ssh -1 xxx.xxx.xx.xx WARNING: DSA key found for host 209.198.22.23 in /home/myuser/.ssh/known_hosts:1 DSA key fingerprint 8a:58:15:a5:9b:1c:1a:65:1f:0c:4d:b9:03:d2:f7:8b. Host key verification failed. % RSA1 key type and hence the SSHv1 protocol. If you can, you would be well advised to switch to SSHv2 which is rather more secure, and supported pretty much everywhere now. Thanks, after seeing this being an option now, I had planned on migrating to this, but I figured I'd get rsa1 to work again first. Unfortunately, until I can ssh to the machine at all, I can't get either mechanism to work I fear. I have tried using the dsa key but it doesn't work either. More ideas? John To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Changes in sshd?
As a follow up to my own post: The only known_hosts file that exists on the machine is in /root/.ssh/known_hosts which does not have a problem connecting. So I figured rather than properly diagnose this, I'd make it work again since I'm starting to run against time constraints...too bad it didn't work: # cp /root/.ssh/known_hosts /home/myuser/.ssh/ # su myuser %ssh xxx.xxx.xx.xx Permission denied, please try again. Permission denied, please try again. Received disconnect from xxx.xxx.xx.xx: 2: Too many authentication failures for myuser %ssh -1 xxx.xxx.xx.xx WARNING: DSA key found for host 209.198.22.23 in /home/myuser/.ssh/known_hosts:1 DSA key fingerprint 8a:58:15:a5:9b:1c:1a:65:1f:0c:4d:b9:03:d2:f7:8b. Host key verification failed. % Turns out that I can in fact get ssh2 to work now that the known_hosts file was copied from /root. I'm still confused as to why A) the known_hosts wasn't created automatically and B) I still can't get ssh1 to work. John To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Changes in sshd?
Greets, I have many times set up the authorized_keys so that remote ssh/scp/rsync clients can connect between machines without a password. However, in attempting to do this again using a 5.0-RELEASE machine trying to connect to a 4.7 machine, I'm getting nothing but: %ssh 192.168.0.23 Host key verification failed. This was all working last week, then I reinstalled my 4.X machine to this 5.0 and went through the routine to recreate an identity.pub and copy it to the remote machine. Now it just won't work. I noticed that ssh-keygen worked slightly differently in 5.0 ..Did something change with it's default behavior that I need to take into account in order to talk to a 4.7 machine? A complete walkthough of the steps I'm attempting can be found at: http://my.lostinfo.com/files_other/rsync/ John Straiton [EMAIL PROTECTED] Clickcom, Inc 704-365-9970x101 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message