Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remember to document RSA host key in any place... #34

Closed
rsantos88 opened this issue Jan 19, 2018 · 8 comments
Closed

Remember to document RSA host key in any place... #34

rsantos88 opened this issue Jan 19, 2018 · 8 comments
Labels
question

Comments

@rsantos88
Copy link
Contributor

rsantos88 commented Jan 19, 2018
edited
Loading

Error connecting by ssh to a new ubuntu distribution (or a new installation)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
94:43:6d:2b:78:54:06:7b:e5:02:61:01:d1:4a:35:51.
Please contact your system administrator.
Add correct host key in /home/teo/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/teo/.ssh/known_hosts:1
  remove with: ssh-keygen -f "/home/teo/.ssh/known_hosts" -R manipulation
RSA host key for manipulation has changed and you have requested strict checking.
Host key verification failed.
teo@oliver:~$ ssh manipulation 
teo@manipulation's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '16.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Remember to document steps to configure the ssh server (in case it was necessary) :

  1. sudo apt-get install openssh-server
  2. edit /etc/ssh/ssh_host_rsa_key (with sudo)
  3. change the old key for a new
@jgvictores
Copy link
Member

jgvictores commented Jan 19, 2018 via email
edited
Loading

@PeterBowman
Copy link
Member

PeterBowman commented Jan 19, 2018 via email

@AlvaroMartinezR
Copy link

@PeterBowman is right
image

@rsantos88
Copy link
Contributor Author

😑 😑 😑 😑 😑 😑
sorry for the error... where do you want to keep the key..? maybe in some private place for us...?

@David-Estevez
Copy link
Contributor

I guess the best thing to do is to create a new one (and keep it private) 😉

@jgvictores
Copy link
Member

Obviously it's good to keep good security practices, but since we are in a LAN, I think we don't have to be extremely paranoid. Based on this, and to be practical, I think it's okay to not consider a man-in-the-middle attack and simply erase the RSA key associated to manipulation (via ssh-keygen -f "/home/teo/.ssh/known_hosts" -R manipulation) each time we boot it on a different distro.

Please correct me guys if I'm saying something terribly misguided.

@rsantos88
Copy link
Contributor Author

@jgvictores I am totally agree with you. I tried to change the default password assigned in Ubuntu for the one I had already registered in Debian 6 to avoid possible future problems. I know that to reveal a password in a public place like this is a mistake, but I thought that we are connected in a local network, free of dangerous hackers trying to get into Teo (or maybe yes..) and I am always trying to document all the steps or changes that are performed with the intention that another person can configure it in the future.
Anyways, I hope you have fun with this 😅

@rsantos88
Copy link
Contributor Author

It has generated a new RSA key (reinstalling openssh-server) and now the solution is erase the RSA key associated to manipulation (via ssh-keygen -f "/home/teo/.ssh/known_hosts" -R manipulation) each time we boot it on a different distro (and the same with locomotion).
For example, doing ssh with locomotion:

teo@oliver:~$ ssh-keygen -f "/home/teo/.ssh/known_hosts" -R locomotion
# Host locomotion found: line 4 type RSA
/home/teo/.ssh/known_hosts updated.
Original contents retained as /home/teo/.ssh/known_hosts.old
teo@oliver:~$ ssh locomotion
The authenticity of host 'locomotion (2.2.2.52)' can't be established.
ECDSA key fingerprint is ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'locomotion' (ECDSA) to the list of known hosts.
Warning: the ECDSA host key for 'locomotion' differs from the key for the IP address '2.2.2.52'
Offending key for IP in /home/teo/.ssh/known_hosts:4
Are you sure you want to continue connecting (yes/no)? yes
teo@locomotion's password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

teo@locomotion:~$

So, I'll close this issue

@jgvictores jgvictores added question and removed to do labels Jan 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@David-Estevez @jgvictores @PeterBowman @rsantos88 @AlvaroMartinezR