I wonder...
The authenticity of host 'alexschroeder.ch (192.121.170.192)' can't be established. RSA key fingerprint is 3f:fa:ee:ae:af:f4:37:9e:c5:ff:b6:85:8b:14:44:0e. Are you sure you want to continue connecting (yes/no)?
But:
alex@kallobombus:~$ for f in /etc/ssh/ssh_host_*.pub; do ssh-keygen -lf $f; done 1024 a4:f6:b3:f6:6b:c0:73:db:66:13:9e:6f:35:aa:aa:d5 root@kallobombus (DSA) 256 d7:0f:d0:39:08:f7:8b:5d:dd:1c:92:4c:57:5b:2f:d2 root@kallobombus (ECDSA) 2048 49:60:86:36:2d:52:46:7e:9a:10:fc:13:5d:58:e9:c5 root@kallobombus (RSA1) 4096 9f:ad:00:25:ff:d6:07:5f:9c:90:f1:10:43:56:d4:c4 root@kallobombus (RSA)
Questions:
1. Why do I have anything other than RSA in my `/etc/ssh` directory?
2. Why doesn’t any fingerprint match?
Is this what a Man-in-the-middle attack looks like?
I think that these are the files it *should* be using:
alex@kallobombus:/etc/ssh$ grep Key sshd_config 1. HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key 1. HostKey /etc/ssh/ssh_host_ecdsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 #AuthorizedKeysFile %h/.ssh/authorized_keys
And when I’m on the system itself, the fingerprint remains the same, so I guess it’s not a Man-in-the-middle attack but simply me not understanding where these fingerprints come from.
alex@kallobombus:/etc/ssh$ ssh alex@localhost The authenticity of host 'localhost (::1)' can't be established. RSA key fingerprint is 3f:fa:ee:ae:af:f4:37:9e:c5:ff:b6:85:8b:14:44:0e. Are you sure you want to continue connecting (yes/no)?
Is this the correct public key? The timestamp looks suspicious.
alex@kallobombus:/etc/ssh$ ls -l *rsa* -rw------- 1 root root 1679 Jul 16 00:04 ssh_host_rsa_key -rw-r--r-- 1 root root 742 Jan 6 2015 ssh_host_rsa_key.pub
Let’s print the public key and compare!
alex@kallobombus:/etc/ssh$ sudo ssh-keygen -y [sudo] password for alex: Enter file in which the key is (/root/.ssh/id_rsa): ssh_host_rsa_key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSrPJvgUtpgyW61lQXZqsFME3BQqr4BeZnh4QDk2UQJsSmYevyQuLVtMj/CXRHZLgujuW2ptKGgFgHA/fW0mvJM0NDcCoaQGkyNWcNUV6DGGRu0ttRccLwlasm+Iq4WZI5UuIpFvGgfjkgqUXNA058zfcFogOZzHk/gPuFruxjS6K6HtQ/c7bUPOZJrv/C804F9vq07tzy5S9ts587PWZjMLshC6UzErOOrzUIcv5LEE+V+xpy9gQfnkCPTtO/1ZeVLGlrSyWWIqFCso16zquQAvva9xzXiKQ/02FPPqx6EZ7EsHNekWdFwx3Z8xge8Og7nZfhS/E5fNPrSfseNpFB alex@kallobombus:/etc/ssh$ cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSiJzkRHePMo2oiUvwEE86E9iAMKz5M2wQ4oPUS0iEO4CV62NKDro5IpQplLrf9WfwUDL1HDyi0UJZbBVBIRMNg4jNEgwWD6Cv11QqlWQ7IZ4bRkVZhKPhP81Ftk5SevnxW9xB9F9fIBggjJMnSbgSGCjM3p4vHAwflYNp4tyo8t/UUlTnzGFywv8Qlvxsc5vcaxuXiOGkP6k35tbcIMJLwthOnCocg56R02Wuq8pMI7GcC5sYCuhzeMfukLnS1bnkZ1mUqHUqXFSrpK4mheVS8ftP8OeUdJPRxNdS9a0xIHTdLngz2JaC6qvVM5byJWz3FWr25Vyhon1WAUYHc5LNEQMMYkO6lhYedSwKeltncgwRkrUZmtEvpQHK7CYfGVXeHRJB+VhaTT9H5rc1jqaPzrd6N9djjUU5c3yk2YxgyzVjCoCZIojuxU6/YlCBckVwJWZqADkYlN4GRq9D970FD4H3EasZUg/bOFlSRXZDPfZzHymP76G5gUhZFztu9C1qJId6jYpWOg7EQBjoyaXqhkBC7YrH2uHPob4BkEuNKTGsC9nJXLVLEFLYmfzY+qD7x+jUHGonr36xCfEjqIzCP5jiQ2NSHj+Ro3dCjdUloBH3d2m9lhfXWTa3+X4P5HUqxaqO4b558qsZIv9es5LFGFRrOg1wApVouVarQ0Bu+w== root@kallobombus
So, is the shorter key the actual key being used?
alex@kallobombus:/etc/ssh$ sudo ssh-keygen -yf ssh_host_rsa_key > /tmp/key.pub alex@kallobombus:/etc/ssh$ ssh-keygen -lf /tmp/key.pub 2048 3f:fa:ee:ae:af:f4:37:9e:c5:ff:b6:85:8b:14:44:0e /tmp/key.pub (RSA)
This matches the actual message when I log in:
The authenticity of host 'alexschroeder.ch (192.121.170.192)' can't be established. RSA key fingerprint is 3f:fa:ee:ae:af:f4:37:9e:c5:ff:b6:85:8b:14:44:0e. Are you sure you want to continue connecting (yes/no)?
The riddle’s solution is that the public key in my `/etc/ssh` directory is simply some old cruft that’s not being used. I should replace it.
Thanks, EmacsWiki:PierreGaston, for lending a helping hand. 😄
#Security