Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] ssh keys
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 8:27 pm    Post subject: [SOLVED] ssh keys Reply with quote

According to Ramanujan, the goddess Namagiri revealed things to him in dreams...

1) Correct entries for /etc/ssh/ssh_known_hosts surely can be somehow obtained without help from Namagiri ... but how?

I am not looking for the sort of answers I've found on the web (vulnerable to man-in-the-middle, or "ask the admin" -- evidently the admin gets answers from Namagiri).
I found /etc/ssh/ssh_host_ed25519_key.pub and the better web pages lead me to believe ssh-keygen was the answer, but
Code:
# ssh-keygen -vlf /etc/ssh/ssh_host_ed25519_key.pub
sshkey_new failed

2) I'm not happy with ed25519... How do I generate rsa keys with lots of bits? Following https://wiki.gentoo.org/wiki/SSH (with default number of bits) gives
Code:
# /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
unknown key type rsa
Moreover,
Code:
# ssh-keygen -t rsa
unknown key type rsa

It's already been a long month...


Last edited by dpaddy on Wed Apr 26, 2017 3:31 pm; edited 3 times in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5235

PostPosted: Tue Apr 25, 2017 8:32 pm    Post subject: Reply with quote

Why are you using that weird command instead of just ssh-keyscan?

The (old, bloated, less secure) RSA keys require OpenSSL, rebuild OpenSSH with the correct use flags for that.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10127
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Apr 25, 2017 8:38 pm    Post subject: Re: ssh keys Reply with quote

dpaddy wrote:
1) Correct entries for /etc/ssh/ssh_known_hosts surely can be somehow obtained without help from Namagiri ... but how?
Automatically. The first time you connect to a particular host, you'll get a prompt:
Code:
The authenticity of host 'secmt-service02 (10.45.17.35)' can't be established.
ECDSA key fingerprint is SHA256:A9cYDID+mc69HZJdBAIJ3exv8pfRS5Rs/G/DYCbLzzA.
Are you sure you want to continue connecting (yes/no)?
Answering "yes" to this prompt populates ~/.ssh/known_hosts with the public key provided during protocol negotiation. Verify the fingerprint to whatever level your security paranoia requires (something above no verification at all).

dpaddy wrote:
2) I'm not happy with ed25519... How do I generate rsa keys with lots of bits? Following https://wiki.gentoo.org/wiki/SSH (with default number of bits) gives
Code:
# /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
unknown key type rsa
Moreover,
Code:
# ssh-keygen -t rsa
unknown key type rsa
Works here:
Code:
$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/johngrah/.ssh/id_rsa): ^C
Can you provide the output of
Code:
sudo equery list -i openssh
please?

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 8:42 pm    Post subject: Reply with quote

So... how is ssh-keyscan immune to man-in-the middle? Presumably avoiding man-in-the middle requires the conceptual equivalent of:

1) Gaining physical access to the machine whose public ssh host key one desires (not a problem).
2) Typing some command on that machine ... but WHAT command?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5235

PostPosted: Tue Apr 25, 2017 8:43 pm    Post subject: Reply with quote

dpaddy wrote:
So... how is ssh-keyscan immune to man-in-the middle?

It looks up the key fingerprints via DNSSEC, if the sysadmin has bothered to configure their zone file properly.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10127
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Apr 25, 2017 8:48 pm    Post subject: Reply with quote

Ant P. wrote:
...The (old, bloated, less secure) RSA keys require OpenSSL, rebuild OpenSSH with the correct use flags for that.
You have to work at it not to get RSA support. The correct USE flags default to on.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 8:49 pm    Post subject: Reply with quote

Code:
 # equery list -i openssh
 * Searching for openssh ...
[IP-] [  ] net-misc/openssh-7.3_p1-r7:0


Am I correct in believing /etc/ssh/ssh_known_hosts should contain the public keys?
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10127
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Apr 25, 2017 8:52 pm    Post subject: Reply with quote

Yep. My openssh USE flags for reference:
Code:
~ $ sudo emerge -1vp openssh
...
[ebuild   R    ] net-misc/openssh-7.3_p1-r7::gentoo  USE="X hpn ldap pam pie ssl -X509 -bindist -debug -kerberos -ldns -libedit (-libressl) -livecd -sctp (-selinux) -skey -ssh1 -static {-test}" 0 KiB
...
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 8:52 pm    Post subject: Reply with quote

I don't mind so much trading age and bloat for security... What is the "new" and "without bloat" alternative which allows me to specify a large number of bits (and what is the relevant package to emerge)?
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10127
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Apr 25, 2017 9:04 pm    Post subject: Reply with quote

Elliptic Curve cryptography is alleged with pretty good evidence to achieve a given level of security with fewer bits. See the comparison chart here. So don't freak out that the keys are much shorter. Furthermore, ECC is more complicated in that there's more than just the length to specify. Collectively, these are called the "domain parameters" of a given ECC curve. The parameters include the order of the field on which the curve is calculated, but several other things as well. Also, there are more pifalls with ECC, so it's best to use professionally prepared domain parameters. "ed25519" selects one of those professionally prepared sets, but you don't have the ability to specify the number of bits (it's 256 bits, or, more accurately, over a prime field of order (2**255 - 19).

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 9:17 pm    Post subject: Reply with quote

The emerge with the new flags fixed things, thanks :D

At this point I can visit the machines to which I'ld like to be able to ssh -- so as to collect from them what should go into /etc/ssh/ssh_known_hosts (on my machine, not those I'm visiting) -- but what should be in /etc/ssh/ssh_known_hosts on my machine?

Do I collect /ssh_host_rsa_key.pub, or the "key fingerprint" ... would either do? If either would work, would the "key fingerprint" be less secure (why / why not)?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41417
Location: 56N 3W

PostPosted: Tue Apr 25, 2017 9:35 pm    Post subject: Reply with quote

dpaddy,

When you generate key pairs, ssh-keygen showns you the key fingerprint.

When you connect to a host, for which you don't have the public key in your known_hosts, ssh shows you the fingerprint for that host.
Verify that both fingerprints are identical. if they are type 'yes' (the full word is required) to add the key to your known_hosts.

The only time you edit known_hosts directly is to delete a key when for some reason, you want tn change a host key.

You compare fingerprints. Everything else just works.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
dpaddy
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2008
Posts: 103

PostPosted: Tue Apr 25, 2017 9:44 pm    Post subject: Reply with quote

I infer from
Quote:
... for which you don't have the public key in your known_hosts ...
that the the public key goes in known_hosts, not its fingerprint.

Thanks :wink:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41417
Location: 56N 3W

PostPosted: Tue Apr 25, 2017 9:54 pm    Post subject: Reply with quote

dpaddy,

Correct. Do a test.
Code:
 ssh 127.0.0.1


Code:
$ ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:EbB2H8j1NeNow9hZfVOGZolpS9ui+bVWxGAfz5yfdvQ.
Are you sure you want to continue connecting (yes/no)?


Check the fingerprint.
Enter yes
Code:
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.

Complete the login.

Look in
Code:
less .ssh/known_hosts
You will have an entry for 127.0.0.1

Other than testing, connect to the loopback interface is not very useful, so you may as well remove that key from known_hosts
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum