Re: keying a fresh sshd

Chris Rapier wrote:
> Carl Karsten wrote:
>>
>>
>> Chris Rapier wrote:
>>> You could do make install-nokeys on your linux box.
>>
>> um... huh? i have 2 linux boxes:
>
> Ah, my mistake. I assumed that since you were writing to the list for
> the windows version of openssh at least one of the boxes involved was
> windows. No matter.

doh! been a while - forgot the scope of this list :)

>
>> BoxA is my main box that I use for day to day work. I run ssh on it
>> to connect to BoxB (and other boxes)
>>
>> BoxB is the test box that gets wiped every few days.
>>
>>> This will maintain your current set of keys. If part of your test is
>>> to actually test the keygen and installation then you want to look at
>>> the CheckHostIP ssh client option. Try setting it to 'no'. I wouldn't
>>> set it that way in the config file though.
>>
>> I would rather not dumb down BoxA (my normal box) or BoxA' (my laptop)
>> - I also connect to real remote boxes (over the Net) so checking keys
>> seems like a good idea. If I could turn it off for a particular host,
>> that would be fine, but I don't think that is an option. Unless...
>> is there a ssh command line switch? I looked at man ssh when this
>> first started bugging me and couldn't find anything that helped.
>
> Yes, everything in the config files is also a command line switch using
> the '-o' options. EG: -o CheckHostIP=no

well, that gave me less errors:

carl@amd15:~$ ssh -o CheckHostIP=no yate2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4b:9a:7d:6b:a5:bd:1f:7f:30:a5:b6:10:d7:7a:f6:29.
Please contact your system administrator.
Add correct host key in /home/carl/.ssh/known_hosts to get rid of this message.
Offending key in /home/carl/.ssh/known_hosts:29
RSA host key for yate2 has changed and you have requested strict checking.
Host key verification failed.
carl@amd15:~$

Seeing the "and you have requested strict checking." makes me want to turn it
off, but no luck:

carl@amd15:~$ ssh -o CheckHostIP=no -o StrictHostKeyChecking=no yate2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4b:9a:7d:6b:a5:bd:1f:7f:30:a5:b6:10:d7:7a:f6:29.
Please contact your system administrator.
Add correct host key in /home/carl/.ssh/known_hosts to get rid of this message.
Offending key in /home/carl/.ssh/known_hosts:29
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password).

>
>> Looking for just something I can do to BoxB. I have a post install
>> script that runs, which can wget files from a local web server. my
>> thought is to put a set of key files on there and just whack the ones
>> that the "apt-get install openssh-server" generate.
>
> Modify the install routine to use "make install-nokeys" instead of "make
> install". This will prevent your box from generating new keys and
> overwriting your olds one.

ah - install isn't install :)

I am re-running the OS install each time - like booting from the CD and doing
'install to first HD, auto partition and mkfs hda1'

So there are no "old keys" to overwrite.

  I have no idea if apt-get will let you pass
> options to the make command. If it doesn't I'd consider
> A) only having apt-get fetch and build but not install. Then use a post
> install script to run 'make install-nokeys'
> B) See if the server apt-get is using also has CVS access to the same
> packages. Write a script to have CVS check out the sources, build them,
> and run 'make install-nokeys'

um... this isn't Gentoo :) apt-get installs binaries.

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com