Re: keying a fresh sshd

Chris Rapier wrote:
> You could do make install-nokeys on your linux box.

um... huh? i have 2 linux boxes:

BoxA is my main box that I use for day to day work. I run ssh on it to connect
to BoxB (and other boxes)

BoxB is the test box that gets wiped every few days.

> This will maintain your current set of keys. If part of your test is to
> actually test the keygen and installation then you want to look at the
> CheckHostIP ssh client option. Try setting it to 'no'. I wouldn't set it
> that way in the config file though.

I would rather not dumb down BoxA (my normal box) or BoxA' (my laptop) - I also
connect to real remote boxes (over the Net) so checking keys seems like a good
idea. If I could turn it off for a particular host, that would be fine, but I
don't think that is an option. Unless... is there a ssh command line switch?
I looked at man ssh when this first started bugging me and couldn't find
anything that helped.

Looking for just something I can do to BoxB. I have a post install script that
runs, which can wget files from a local web server. my thought is to put a set
of key files on there and just whack the ones that the "apt-get install
openssh-server" generate.

>
>
> Carl Karsten wrote:
>> I have an automated Ubuntu install that I run on a test box every few
>> days. it also installs openssh-server (sshd) and that creates new
>> keys, which conflict with the keys stored on my client machines. I
>> keep editing my client files to get around this, but that is getting
>> old. What would be a recommended way to deal with this? I also
>> wouldn't mind dropping a private key on it. I have 0.0 concern for
>> security of that box - it is only on about 1/4 the time, and I am the
>> only one with any sort of access to it. But I do have visitors to my
>> lan, and in general like to practice safe computing, and figure if I
>> am going to put any effort into this I should learn something
>> useful. below is the error I get when I try to connect an "old"
>> client to a "new" install.
>>
>> Carl K
>>
>>
>>
>> carl@amd15:~$ ssh yate2
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> The RSA host key for yate2 has changed,
>> and the key for the according IP address 192.168.1.18
>> has a different value. This could either mean that
>> DNS SPOOFING is happening or the IP address for the host
>> and its host key have changed at the same time.
>> Offending key for IP in /home/carl/.ssh/known_hosts:27
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that the RSA host key has just been changed.
>> The fingerprint for the RSA key sent by the remote host is
>> 4b:9a:7d:6b:a5:bd:1f:7f:30:a5:b6:10:d7:7a:f6:29.
>> Please contact your system administrator.
>> Add correct host key in /home/carl/.ssh/known_hosts to get rid of this
>> message.
>> Offending key in /home/carl/.ssh/known_hosts:29
>> RSA host key for yate2 has changed and you have requested strict
>> checking.
>> Host key verification failed.
>>
>> --
>> List Info: http://erdelynet.com/ssh-l/
>> List Archives: http://erdelynet.com/archive/ssh-l/
>> To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com
>>
>
> --
> List Info: http://erdelynet.com/ssh-l/
> List Archives: http://erdelynet.com/archive/ssh-l/
> To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com
>
>
>

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com