Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users

SSH Fingerprint

 

 

OpenSSH users RSS feed   Index | Next | Previous | View Threaded


amit.uttam at gmail

Dec 10, 2009, 4:11 PM

Post #1 of 5 (1605 views)
Permalink
SSH Fingerprint

Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit


robert.lanning at gmail

Dec 14, 2009, 2:52 PM

Post #2 of 5 (1558 views)
Permalink
Re: SSH Fingerprint [In reply to]

The fingerprint is a hash of the public key.

What is happening is that the system is deleting the server key pair
every time it gets reset to defaults. With no key, the system generates
a brand new key pair.

Unless you can have the network admin restore the old server key after
resets, you are going to have this issue.

On Thu, Dec 10, 2009 at 4:11 PM, Amit Uttamchandani
<amit.uttam [at] gmail> wrote:
> Hi,
>
> There is a remote box (an embedded system running a proprietary ssh
> server) that I log in to for the first time and it generates a key for
> acceptance. That is all good. However, every time the network admin
> resets the remote box to default configuration the key changes and I
> have to manually edit the host file to remove the old key.
>
> Resetting to default config on the box simply just restores the settings
> to factory defaults.
>
> Is this expected behavior? What defines a fingerprint?
>
> Thanks,
> Amit

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri


Wood.Chris at tatravelcenters

Dec 14, 2009, 3:30 PM

Post #3 of 5 (1558 views)
Permalink
Re: SSH Fingerprint [In reply to]

Yes, this is the expected behavior, and this is what you want it to do.
When the remote box is reset to a default configuration (I'm assuming this
means the existing files are wiped out, such as restored from a firmware
backup), it loses its key

Now, if you wish, you can save the host keys, public key, and private
keys, from the remote box into a secure location, then you can copy them
back in place on the remote box when it is reset to a default
configuration.

Chris Wood
TravelCenters of America
Shop Systems Linux Administrator
wood.chris [at] tatravelcenters



From: Amit Uttamchandani <amit.uttam [at] gmail>
To: OpenSSH Mailing List <secureshell [at] securityfocus>
Date: 12/14/2009 05:23 PM
Subject: SSH Fingerprint
Sent by: listbounce [at] securityfocus



Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit


4ux6as402 at sneakemail

Dec 15, 2009, 1:54 AM

Post #4 of 5 (1537 views)
Permalink
Re: SSH Fingerprint [In reply to]

And there is a reason for the madness: To prevent man in the middle
attacks. Once you've accepted the key, if it ever changes (on a "normal"
system) that could very well indicate a man-in-the-middle attack.

Peter
--
Peter Valdemar Mørch
http://www.morch.com


amit.uttam at gmail

Dec 15, 2009, 3:01 PM

Post #5 of 5 (1545 views)
Permalink
Re: SSH Fingerprint [In reply to]

On Tue, Dec 15, 2009 at 10:54:14AM +0100, "Peter Valdemar Mørch (Lists)" wrote:
> And there is a reason for the madness: To prevent man in the middle
> attacks. Once you've accepted the key, if it ever changes (on a
> "normal" system) that could very well indicate a man-in-the-middle
> attack.
>

That makes sense. I guess I was confused with the term fingerprint. I
thought in the normal sense a fingerprint is unique and would never
change (thinking of human fingerprints).

Thanks for clarifying and thanks to others that replied.

Amit

OpenSSH users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.