LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : Alain Satre <alain@messagebay.com>
  Date: Sun, 11 Feb 2001 21:11:53 +1030

Re: SSH Question

On Fri, Feb 09, 2001 at 12:26:53PM -0800, Alain Satre wrote:
> Recently some of our RedHat6.2 servers were penetrated through a common
> exploit in rpc services.  Afterward, patching and reloadin, we have
> noticed that some of our hosts give this message when we attempt an ssh
> connection.  Im wondering what could have been done to cause this?  I
> know I can probally just re-key the whole setup, but I wanted to know
> what the intruders may have done.  The warning alone states a "man in
> the middle" attack but im not familiar with it.  Any ideas?  Should I
> just wipe out all keys and start over and be done with it?   Or is this
> worth investigating further?
> 
> [root@embpc14 /tmp]# ssh 10.1.2.106
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Alain,

Having recently converted 5 machines to openssh 2.3.0 from source,
I've seen this a lot in the last two days.

I've found two ways to deal with this.

Suppose you're going from client machine X to server machine Y.

1.	Delete the line for server Y in the ~/.ssh/known_hosts
	file on X, and log in. This will just ask you to
	verify that all is okay.
	But before you do this, you should type something like
	ssh-keygen -l -f /usr/local/etc/ssh_host_key.pub
	on machine Y to find out what the fingerprint is.
	Then verify that this is correct when you
	log in from X.

2.	Delete the line for Y in ~/.ssh/known_hosts on X,
	and replace it with the contents of the file
	ssh_host_key.pub
	but precede it with the host name Y and remove
	the trailing string.

If you do (1), it's much easier, because ssh will write the
public key of Y to the user's known-hosts file on X automatically.
Just make sure the fingerprints match.

Cheers,
Alan Kennington.

==========================================================
PS. I've found that the ssh-agent's key is not handed on to
a second log-in as it used to be.
In other words, when I update to openssh 2.3.0, if
I log in from X to Y, I don't need to give a password
(because I ran ssh-add already on X), but when I log in
subsequently from Y to Z, I _do_ need to give a passphrase.
Does anyone know what's going on here?

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject