Question about RSA1 vs DSA fingerprint
From: Shing-Fat Fred Ma (fma@doe.carleton.ca)Date: 05/15/02
- Next message: Al Cohen: "Help! Public key stopped working w/putty"
- Previous message: The Movie: "This is the best!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Shing-Fat Fred Ma <fma@doe.carleton.ca> Date: 15 May 2002 01:47:37 GMT
Hello,
I'm connecting to a solaris 8 box on a university LAN,
ssh version
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
This is the "remote" host. I'm connecting from a laptop
cygwin, via Sympatico ADSL, ssh version
OpenSSH_3.0p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
This part works fine, I get asked to confirm the remote
host's public key fingerprint, and it matches the result
from
ssh -l -f /etc/ssh_host_rsa_key.pub
on the remote host. The fingerprint is a series of
double digit hex numbers separated by colons.
The next part doesn't quite pan out. I try connecting to
the same remote host from another sun box that
is behind a corporate firewall, non-OpenSSH ssh
version
SSH Secure Shell 2.3.0 (non-commercial version) on sparc-sun-solaris2.6
(I'm not an employee there, and it isn't being used for
commercial purposes). That gives me a different public
key fingerprint for the remote host. No double digit hex
numbers, just a series of 5-character lower-case letters
separated by dashes.
I tried to figure out why it didn't match. After refusing to
accept that finger print a number of times, I accepted it
and got connected. By doing this, I created
~/.ssh2/hostkeys/key_xx_RemoteHost.Fully.Qualified.Name.pub
This file matches the public key file
/etc/ssh_host_dsa_key.pub
on the remote host. From the ssh man pages,
I gather this is protocol 2 (right?). According to the
ssh-keygen man pages, the key fingerprint should
be obtained by
ssh-keygen -l -t dsa -f /etc/ssh_host_dsa_key.pub
on the remote host. However, this did not give me the
5-letter strings presented to me when I tried to connect,
it still gave me double hex digits. I even threw in the "-y"
for OpenSSH file format, but that didn't help either.
Next, I transferred the file
/etc/ssh_host_dsa_key.pub
from the remote host to the local host and used
ssh-keygen -F ssh_host_dsa_key.pub
Note that the syntax for non-OpenSSH is different.
I even tried "-t dsa" (that is the only option that is
accepted, according to the help). Regardless, the
response was
Couldn't read public key "ssh_host_dsa_key.pub".!
Note also that the
man pages for the non-OpenSSH has not been
installed, if there are any (I didn't install it, though
I did read much about it before giving up and asking
the system administrators).
What can I do? I've been reading about ssh all day
(and I've spent many previous days reading about it).
According to my readings, blindly accepting the fingerprint
despite dicrepancies is not good, and invites "man-in-
the-middle" attacks, which I also read about, but am not
an expert in. However, I changed my passwords on the
remote host after reading about it.
Thanks for any suggestions. In case this helps, I've
attached the output from "ssh -v", with specific
host/user ID data replaced by generic letters/numbers.
Fred
-------------------------------------------
Fred Ma
Department of Electronics
Carleton University, Mackenzie Building
1125 Colonel By Drive
Ottawa, Ontario
Canada K1S 5B6
fma@doe.carleton.ca
===========================================
debug: Unable to open /etc/ssh2/ssh2_config
debug: hostname is 'RemoteHost.RemoteLAN.RemoteSite.ca'.
debug: Unable to open /home/LocalUserID/.ssh2/ssh2_config
debug: connecting to RemoteHost.RemoteLAN.RemoteSite.ca...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initialize: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initialize: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1104/ssh_client_wrap: creating userauth protocol
debug: Ssh2Common/sshcommon.c:487/ssh_common_wrap: local ip = Local.IP.Number, local port = 40855
debug: Ssh2Common/sshcommon.c:489/ssh_common_wrap: remote ip = Remote.IP.Number, remote port = 22
debug: SshConnection/sshconn.c:1853/ssh_conn_wrap: Wrapping...
debug: Ssh2Transport/trcommon.c:593/ssh_tr_input_version: Remote version: SSH-1.99-OpenSSH_2.9p2
debug: Ssh2Transport/trcommon.c:1068/ssh_tr_negotiate: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1071/ssh_tr_negotiate: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: SshUnixUserFiles/sshunixuserfiles.c:200/ssh_blob_read: file /home/LocalUserID/.ssh2/hostkeys/key_22_RemoteHost.RemoteLAN.RemoteSite.ca.pub does not exist.
debug: SshUnixUserFiles/sshunixuserfiles.c:200/ssh_blob_read: file /etc/ssh2/hostkeys/key_22_RemoteHost.RemoteLAN.RemoteSite.ca.pub does not exist.
Host key not found from database.
Key fingerprint:
Eleven-Words-Of-Five-Letters-Separated-By-Dashes
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? NO
debug: Ssh2Common/sshcommon.c:132/ssh_common_disconnect: DISCONNECT received: Key exchange failed.
warning: Authentication failed.
debug: Ssh2/ssh2.c:78/client_disconnect: locally_generated = TRUE
Disconnected; key exchange or algorith negotiation failed (Key exchange failed.).
debug: uninitializing event loop
- Next message: Al Cohen: "Help! Public key stopped working w/putty"
- Previous message: The Movie: "This is the best!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
