[Techtalk] ssh through dyndns & key authentication

Anne Wainwright anotheranne at fables.co.za
Sat Nov 6 09:51:47 UTC 2010


Hi, girls,

slight correction for the benefit of interested (future) readers.

The option  "HashKnownHosts No" mentioned should be set on the client
(not server) (see man ssh_config) in ~/.ssh/config  (make this 744 I
think)

The option should be entered as

HashKnownHosts no	# with "no" _uncapitalised_

ssh has a hierachy of reading options in this order, and will
thus override the default debian option (on) in the system file

 1.   command-line options
 2.   user's configuration file (~/.ssh/config)
 3.   system-wide configuration file (/etc/ssh/ssh_config)

I now have one copy of the server public key written into a
new empty 'known_hosts' in the format that commences with the host name
and IP address. (as mentioned by Carla in her Cookbook).

I see that man ssh_config specifically mentions ubuntu deviations from
the ssh default, including this particular one, but no mention of why.
Is this something to do with the whole sudo thing?

Thanks to Magni for putting me on the right path, even as I fear that I
may have broken something else :(


bestest
Anne

On Fri, 5 Nov 2010 11:03:33 +0200
Anne Wainwright <anotheranne at fables.co.za> wrote:

> Hello, Magni,
> 
> couple of comments below.
> 
> 
> On Thu, 4 Nov 2010 23:04:35 +0100
> Magni Onsoien <magnio+lc-techtalk at pvv.ntnu.no> wrote:
> 
> > On 2010-11-04 22:21:52 +0200, Anne Wainwright said:
> > > Hi, all,
> > > 
> > > I am having key trouble with accessing my office server from home
> > > via ssh
> > > 
> > > When I first-time accessed the server via ssh from the office
> > > network there was the usual of having to trust & accept the key
> > > offered for the first time. This connection has worked fine for
> > > quite a while
> > > 
> > > I then set up dyndns, installed ddclient on the server, so that I
> > > could access this from home without issues when the IP address
> > > changes. Then, I am sure, I had to accept a key offered the first
> > > time that I connected across the internet. Fine.
> > > 
> > > Now, this evening, a new key is offered with a 'fingerprint'.
> > > Where does this new key come from? This is not the first time, I
> > > can accept it but I now have a string of keys in 'known_hosts' on
> > > my client laptop for connecting to the same and only server.
> > > 
> > > Am I getting a new key each time that I try to ssh through to the
> > > server after an IP address change? I don't understand what is
> > > happening here.
> > 
> > At some point "HashKnownHosts Yes" seems to have become default in
> > Ubuntu. This is a security and privacy measure to hash
> > IP-adress/host name of the servers you connect to and store the
> > host key of in your ~/.ssh/known_hosts file. Then one line will be
> > stored for each different connection to a host, while if you don't
> > hash them, new IP or hostnames will be stored with the existing key
> > and as far as I remember you won't be asked for confirmation.
> > If the lines (towards the end of) in the known_hosts file begin with
> > "|1|", you have this option turned on.
> Definitely |1| at the start of each key. I'll delete the lot.
> 
> > 
> > Turn it off by adding "HashKnownHosts No" to ~/.ssh/options
> > Don't turn off StrictHostKeyChecking. That option checks that the
> > host key of a given host has not changed, and you should have very
> > good reasons to ignore that.
> I have added that one line to ~/.ssh/options on the server account
> this morning and will check when I get home tonight.
> 
> > 
> > (I only have Ubuntu servers available, but stuff should be pretty
> > similar on most Unixes.)
> Also running ubuntu server
> 
> > 
> > 
> > Magni :)
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk


More information about the Techtalk mailing list