[rlug] ssh peste http proxy ==> remote host identification has changed
Marius Luca
luca.marius.mihai at gmail.com
Mon Nov 11 14:34:20 EET 2019
Pentru mine, la un moment dat, n-a mai mers (dupa niste ani) corkscrew si
am trecut pe httptunnel.
Legat de neclaritatea de mai sus: probabil te intreaba interactiv cum sa
tratezi cheia ssh necunoscuta a serverului (cu accentul pe "interactiv") -
ergo, crapa.
Rezolvarea e :
StrictHostKeyChecking=accept-new // de preferat
StrictHostKeyChecking=no // trade-off pe security
--
Have a nice one,
Marius Luca
On Fri, Nov 8, 2019 at 3:41 PM Mihai Osian <mihai.osian at gmail.com> wrote:
> Hmm, tot nu mi-e foarte clar ce se intampla, dar problema se rezolva daca
> adaug manual cheia serverului meu la .ssh/known_hosts
>
> cat ~/.ssh/known_hosts
> server.acasa.com ecdsa-sha2-nistp256 AAAAE2V[...]
>
> ssh user@*www*.acasa.com -o [...]
> ==> REMOTE HOST IDENTIFICATION HAS CHANGED
>
> ssh user@*server*.acasa.com -o [...]
> ==> ok
>
> Aparent daca nu gaseste o cheie explicita atunci face pattern-matching la
> domeniul/ip-ul care corespunde proxy-ului (in /etc/ssh/known_hosts).
>
> Mihai
>
>
>
>
> On Wed, Nov 6, 2019 at 3:55 PM Mihai Osian <mihai.osian at gmail.com> wrote:
>
> > Salut,
> >
> > La locul meu de munca se foloseste un HTTP proxy pentru conexiunile
> catre
> > exterior. In browser proxy-ul e configurat automat si arata ceva de genul
> > http://pac.companyproxy.com:9512/proxy.pac
> >
> > Ambitia mea este sa ma conectez cu ssh la calculatorul de acasa. Citind
> > howto-uri am ajuns la urmatoarea formula:
> >
> > ssh eu at acasa.com -o "ProxyCommand ~/bin/corkscrew pac.companyproxy.com
> > 9512 www.acasa.com 22 ~/.ssh/auth"
> >
> > Acest "corkscrew" e un mic programel care se conecteaza la proxy folosind
> > HTTP si trimite username+parola pentru autentificare (specificate in
> > ~/.ssh/auth sau intr-o variabila de mediu). Ruland linia de mai sus obtin
> > asa:
> >
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> > It is also possible that a host key has just been changed.
> > The fingerprint for the RSA key sent by the remote host is
> > SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
> > Please contact your system administrator.
> > Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of
> this
> > message.
> > Offending RSA key in /etc/ssh/ssh_known_hosts:627
> > RSA host key for <acasa> has changed and you have requested strict
> > checking.
> > Host key verification failed.
> >
> > Linia 627 din /etc/ssh/ssh_known_hosts arata asa:
> > mih at dhws039: sed '627!d' /etc/ssh/ssh_known_hosts
> > *,<proxy_ip_prefix>.* ssh-rsa AAAAB3Nza[...]
> >
> > Daca rulez ssh cu "-vv" vad asa:
> > ssh -vv mike at acasa.com -o "ProxyCommand ~/bin/corkscrew
> > pac.companyproxy.com 9512 www.acasa.com 22 ~/.ssh/auth"
> >
> > OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
> > debug1: Reading configuration data /auto/home/mih/.ssh/config
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: /etc/ssh/ssh_config line 51: Applying options for *
> > debug1: Executing proxy command: exec /auto/home/mih/bin/corkscrew
> > pac.<proxy>.com 9512 <acasa> 22 /auto/home/mih/.ssh/auth
> > debug1: permanently_drop_suid: 10336
> > debug1: identity file /auto/home/mih/.ssh/id_rsa type 1
> > debug1: key_load_public: No such file or directory
> > [...]
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_7.4
> >
> > *debug1: Remote protocol version 2.0, remote software version
> > OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420debug1: match:
> > OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH_6.6.1* compat
> > 0x04000000*
> > debug1: Authenticating to acasa:22 as 'mike'
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: algorithm: curve25519-sha256 at libssh.org
> > debug1: kex: host key algorithm: ssh-rsa
> > debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> > <implicit> compression: none
> > debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
> > <implicit> compression: none
> > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
> > debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
> > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> > debug1: Server host key: ssh-rsa
> > SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> > It is also possible that a host key has just been changed.
> > The fingerprint for the RSA key sent by the remote host is
> > SHA256:OhXPy3SjwV3zei5RGwCaQ4zFIVYfDvl/B+WAuDiGQgw.
> > Please contact your system administrator.
> > Add correct host key in /auto/home/mih/.ssh/known_hosts to get rid of
> this
> > message.
> > Offending RSA key in /etc/ssh/ssh_known_hosts:627
> > RSA host key for erebus has changed and you have requested strict
> checking.
> > Host key verification failed.
> > mih at dhws039:
> >
> > Linia subliniata mai sus ("*OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420") *e
> > serverul de acasa, deci ajunge pana acolo, dar apoi o ia razna. De
> > asemenea, rulat singur din linia de comanda programelul corkscrew isi
> face
> > treaba:
> >
> > mih at dhws039: /auto/home/mih/bin/corkscrew <proxy> 9512 <acasa> 22
> > /auto/home/mih/.ssh/auth
> > SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
> >
> > Poate cineva sa ma lamureasca ce se intampla ? Cum isi obtine ssh-ul
> > cheile de server, si de ce ajunge sa le confunde cu alea de la proxy ?
> >
> > Mihai
> >
> >
> _______________________________________________
> RLUG mailing list
> RLUG at lists.lug.ro
> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
>
More information about the RLUG
mailing list