Discussion:
SSH Fingerprint
(too old to reply)
Amit Uttamchandani
2009-12-11 00:11:16 UTC
Permalink
Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit
Robert Hajime Lanning
2009-12-14 22:52:05 UTC
Permalink
The fingerprint is a hash of the public key.

What is happening is that the system is deleting the server key pair
every time it gets reset to defaults. With no key, the system generates
a brand new key pair.

Unless you can have the network admin restore the old server key after
resets, you are going to have this issue.

On Thu, Dec 10, 2009 at 4:11 PM, Amit Uttamchandani
Post by Amit Uttamchandani
Hi,
There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.
Resetting to default config on the box simply just restores the settings
to factory defaults.
Is this expected behavior? What defines a fingerprint?
Thanks,
Amit
--
And, did Galoka think the Ulus were too ugly to save?
-Centauri
W***@tatravelcenters.com
2009-12-14 23:30:55 UTC
Permalink
Yes, this is the expected behavior, and this is what you want it to do.
When the remote box is reset to a default configuration (I'm assuming this
means the existing files are wiped out, such as restored from a firmware
backup), it loses its key

Now, if you wish, you can save the host keys, public key, and private
keys, from the remote box into a secure location, then you can copy them
back in place on the remote box when it is reset to a default
configuration.

Chris Wood
TravelCenters of America
Shop Systems Linux Administrator
***@tatravelcenters.com



From: Amit Uttamchandani <***@gmail.com>
To: OpenSSH Mailing List <***@securityfocus.com>
Date: 12/14/2009 05:23 PM
Subject: SSH Fingerprint
Sent by: ***@securityfocus.com



Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit
Peter Valdemar Mørch (Lists)
2009-12-15 09:54:14 UTC
Permalink
And there is a reason for the madness: To prevent man in the middle
attacks. Once you've accepted the key, if it ever changes (on a "normal"
system) that could very well indicate a man-in-the-middle attack.

Peter
--
Peter Valdemar Mørch
http://www.morch.com
Amit Uttamchandani
2009-12-15 23:01:27 UTC
Permalink
Post by Peter Valdemar Mørch (Lists)
And there is a reason for the madness: To prevent man in the middle
attacks. Once you've accepted the key, if it ever changes (on a
"normal" system) that could very well indicate a man-in-the-middle
attack.
That makes sense. I guess I was confused with the term fingerprint. I
thought in the normal sense a fingerprint is unique and would never
change (thinking of human fingerprints).

Thanks for clarifying and thanks to others that replied.

Amit

Loading...