[rlug] ssh peste http proxy ==> remote host identification has changed

Mihai Osian mihai.osian at gmail.com
Wed Nov 6 17:55:48 EET 2019


  Salut,

La locul meu de munca se foloseste un HTTP proxy pentru  conexiunile catre
exterior. In browser proxy-ul e configurat automat si arata ceva de genul
    http://pac.companyproxy.com:9512/proxy.pac

Ambitia mea este sa ma conectez cu ssh la calculatorul de acasa. Citind
howto-uri am ajuns la urmatoarea formula:

  ssh eu at acasa.com -o "ProxyCommand ~/bin/corkscrew pac.companyproxy.com
9512 www.acasa.com 22 ~/.ssh/auth"

Acest "corkscrew" e un mic programel care se conecteaza la proxy folosind
HTTP si trimite username+parola pentru autentificare (specificate in
~/.ssh/auth sau intr-o variabila de mediu). Ruland linia de mai sus obtin
asa:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
Please contact your system administrator.
Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /etc/ssh/ssh_known_hosts:627
RSA host key for <acasa> has changed and you have requested strict checking.
Host key verification failed.

Linia 627 din /etc/ssh/ssh_known_hosts arata asa:
mih at dhws039: sed '627!d' /etc/ssh/ssh_known_hosts
*,<proxy_ip_prefix>.* ssh-rsa AAAAB3Nza[...]

Daca rulez ssh cu "-vv" vad asa:
  ssh -vv mike at acasa.com -o "ProxyCommand ~/bin/corkscrew
pac.companyproxy.com 9512 www.acasa.com 22 ~/.ssh/auth"

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /auto/home/mih/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Executing proxy command: exec /auto/home/mih/bin/corkscrew
pac.<proxy>.com 9512 <acasa> 22 /auto/home/mih/.ssh/auth
debug1: permanently_drop_suid: 10336
debug1: identity file /auto/home/mih/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
[...]
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4

*debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420debug1: match:
OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH_6.6.1* compat
0x04000000*
debug1: Authenticating to acasa:22 as 'mike'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
Please contact your system administrator.
Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /etc/ssh/ssh_known_hosts:627
RSA host key for erebus has changed and you have requested strict checking.
Host key verification failed.
mih at dhws039:

Linia subliniata mai sus ("*OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420") *e
serverul de acasa, deci ajunge pana acolo, dar apoi o ia razna. De
asemenea, rulat singur din linia de comanda programelul corkscrew isi face
treaba:

mih at dhws039: /auto/home/mih/bin/corkscrew <proxy> 9512 <acasa> 22
/auto/home/mih/.ssh/auth
SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420

Poate cineva sa ma lamureasca ce se intampla ? Cum isi obtine ssh-ul cheile
de server, si de ce ajunge sa le confunde cu alea de la proxy ?

Mihai


More information about the RLUG mailing list