[Techtalk] ssh through dyndns & key authentication
anotheranne at fables.co.za
Fri Nov 5 09:03:33 UTC 2010
couple of comments below.
On Thu, 4 Nov 2010 23:04:35 +0100
Magni Onsoien <magnio+lc-techtalk at pvv.ntnu.no> wrote:
> On 2010-11-04 22:21:52 +0200, Anne Wainwright said:
> > Hi, all,
> > I am having key trouble with accessing my office server from home
> > via ssh
> > When I first-time accessed the server via ssh from the office
> > network there was the usual of having to trust & accept the key
> > offered for the first time. This connection has worked fine for
> > quite a while
> > I then set up dyndns, installed ddclient on the server, so that I
> > could access this from home without issues when the IP address
> > changes. Then, I am sure, I had to accept a key offered the first
> > time that I connected across the internet. Fine.
> > Now, this evening, a new key is offered with a 'fingerprint'. Where
> > does this new key come from? This is not the first time, I can
> > accept it but I now have a string of keys in 'known_hosts' on my
> > client laptop for connecting to the same and only server.
> > Am I getting a new key each time that I try to ssh through to the
> > server after an IP address change? I don't understand what is
> > happening here.
> At some point "HashKnownHosts Yes" seems to have become default in
> Ubuntu. This is a security and privacy measure to hash IP-adress/host
> name of the servers you connect to and store the host key of in your
> ~/.ssh/known_hosts file. Then one line will be stored for each
> different connection to a host, while if you don't hash them, new IP
> or hostnames will be stored with the existing key and as far as I
> remember you won't be asked for confirmation.
> If the lines (towards the end of) in the known_hosts file begin with
> "|1|", you have this option turned on.
Definitely |1| at the start of each key. I'll delete the lot.
> Turn it off by adding "HashKnownHosts No" to ~/.ssh/options
> Don't turn off StrictHostKeyChecking. That option checks that the host
> key of a given host has not changed, and you should have very good
> reasons to ignore that.
I have added that one line to ~/.ssh/options on the server account this
morning and will check when I get home tonight.
> (I only have Ubuntu servers available, but stuff should be pretty
> similar on most Unixes.)
Also running ubuntu server
> Magni :)
More information about the Techtalk