Securely Log In to Another Computer
sshBecause Unix was built with networking in mind, it's no surprise that early developers created programs that would allow users to connect to other machines so they could run programs, view files, and access resources. For a long time, telnet was the program to use, but it had a huge problem; it was completely insecure. Everything you send using telnetyour username, password, and all commands and datais sent without any encryption at all. Anyone listening in can see everything, and that's just not good. To combat this problem, ssh (secure shell) was developed. It can do everything telnet can, and then a lot more. Even better, all ssh traffic is encrypted, making it even more powerful and useful. If you need to connect to another machine, whether that computer is on the other side of the globe or in the next room, use ssh. Let's say you want to use the ssh command from your laptop (named pound, and found at 192.168.0.15) to your desktop (named eliot, and located at 192.168.0.25) so you can look at a file. Your username on the laptop is ezra, but on the desktop it's tom. To SSH to eliot, you'd enter the following (you could also use domain names such as hoohah.granneman.com if one existed): $ ssh tom@192.168.0.25 tom@192.168.0.25's password: Linux eliot 2.6.12-10-386 #1 Mon Jan 16 17:18:08 UTC 2006 i686 GNU/Linux Last login: Mon Feb 6 22:40:31 2006 from 192.168.0.15 [Listing truncated for length] You're prompted for a password after you connect. Type it in (you won't see what you're typing, in order to prevent someone from "shoulder surfing" and discovering your password), press Enter, and if it's accepted, you see some information about the machine to which you just connected, including its name, kernel, date and time, and the last time you logged in. You can now run any command you're authorized to run on that machine as though you were sitting right in front of it. From the perspective of ssh and eliot, it doesn't matter where on earth you areyou're logged in and ready to go. If this were the first time you'd ever connected to eliot, however, you would have seen a different message: $ ssh tom@192.168.0.25 The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established. RSA key fingerprint is 54:53:c3:1c:9a:07:22:0c:82: 7b:38:53:21:23:ce:53. Are you sure you want to continue connecting (yes/no)? Basically, ssh is telling you that it doesn't recognize this machine, and it's asking you to verify the machine's identity. Type in yes, press Enter, and you get another message, along with the password prompt: Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.1 tom@192.168.0.25's password: From here things proceed normally. You only see this message the first time you connect to eliot because ssh stores that RSA key fingerprint it mentioned in a file on pound located at ~/.ssh/known_hosts. Take a look at that file, and you see a line has been added to it. Depending on whether the HashKnownHosts option has been enabled in your /etc/ssh/ssh_config file, that line appears in one of two formats. If HashKnownHosts is set to no, it looks something like this:
You can clearly see the IP address as well as the encryption hash, but that's nothing compared to what you'd see if HashKnownHosts is set to yes:
Everything is hashed, even the machine's IP address or domain name. This is good from a security standpoint, but it's a problem if the OS on eliot should ever change. In other words, if you ever need to reinstall Linux on eliot, the next time you log in from pound you'll see this dire warning: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 19:85:59:5c:6a:24:85:53:07:7a:dc:34:37:c6:72:1b. Please contact your system administrator. Add correct host key in /home/pound/.ssh/known_hosts to get rid of this message. Offending key in /home/pound/.ssh/known_hosts:8 RSA host key for 192.168.0.125 has changed and you have requested strict checking. Host key verification failed. The problem is that the ssh key on eliot has changed since the OS has been reinstalled, and when ssh checks the key for eliot it has stored in pound's known_hosts file with the new key, it sees that there's a mismatch and warns you. To fix this, simply delete the line in pound's known_hosts that corresponds to eliot, save the file, and reconnect. To ssh, this is the first time you've connected, so it asks if you want to accept the key. Say yes, and things are good again. If eliot is the only machine you ever SSH to, finding the correct line to delete in known_hosts is easy because it's the only one. But if you connect to several machines, you're going to have a hard time. Quick, which one of these represents hoohah.granneman.com?
Hard to tell, eh? Because you can't tell, you really have no choice but to delete every line, which means that you have to re-accept the key every time you log in to a machine. In order to avoid this, it might be easier just to edit /etc/ssh/ssh_config as root and set HashKnownHosts to no. |
SkxPUQLYqX 