Multiple SSH public keys into a single file - ssh

I'm trying to sftp to a host which acts as a load balancer and routes to 3 other systems based on round robin.
Our public key is setup on their systems. Yet, when ever I try to connect, I get prompted with a "Man in Middle attack" message asking us to verify the key finger print. To over come this I tried adding their public host key into .ssh2/hostkeys/key22_22_hostname.pub file.
Problem is I can't add 3 keys into this file, it seems to accept only one key?
Any suggestions on how to overcome this issue or add 3 public keys into one key22_22_hostname.pub file?
This is on AIX system.

How about cheat and copy the one system's keys to the others? I know is sorta scummy but in this case, it might be appropriate.
I believe those keys are found in /etc or maybe /etc/ssh.

Related

Apache Mina Client Public key authentication

apache mina sshd authenticate client signatures
I found this link, I have implemented the PublicKeyAuthenticator's authenticate method and using KeyUtils.compareKeys method to compare the public key of the user stored and the incoming key. But its not matching. What is the format of the key that needs to be stored in the local to compare against the incoming public key? I have been breaking my head on this for the last few weeks and couldnt solve this. Please help.
I think the key should start with -----BEGIN RSA PRIVATE KEY----- to be recognizable by Apache Mina.
If you are using putty gen key, which starts with PuTTY-User-Key-File-2: ssh-rsa, there should be some tweaks to be made to work with these files,
something like:
PuttyKeyUtils.DEFAULT_INSTANCE.loadKeyPairs(Paths.get(privateKey), FilePasswordProvider.of(this.pwd)))
put a breakpoint on compareKeys() in KeyUtils, you will be able to see the keys being compared and try to find their type. I had a similar problem and for me turns it was not able to compare OpenSshCertificate type of public key.

How to discover other domain hosts using rtps_discovery

Recently, I try hard to use OpenDDS SSL in WAN network. But All my attempts to failed.
This is caused by the inability to find different hosts.
I realized one thing. OpenDDS security should use rtps_discovery, not InfoRepo, and it is difficult to find two hosts in different subnetworks via rtps_discovery.
I have been searched about discovering host by rtps_discovery option from SourceForge, github, and stackoverflow. But, No one successed in this manner.
https://sourceforge.net/p/opendds/mailman/message/36320180/
https://github.com/objectcomputing/OpenDDS/issues/854
So, my question is how to find the host using rtps_discovery on the WAN network.
here is my ini file:
[common]
DCPSGlobalTransportConfig=$file
DCPSSecurity=1
[domain/4]
DiscoveryConfig=uni_rtps
[rtps_discovery/uni_rtps]
SedpMulticast=0
ResendPeriod=2
SpdpSendAddrs=publisher's IP:56789
[transport/the_rtps_transport]
transport_type=rtps_udp
use_multicast=0
local_address=subscriber's IP:55555
please give me some ideas to solve this problem
It is really impossible to discover hosts in different subnetworks via rtps_discovery??
I'm finally success to communicate using rtps discovery!
It just SpdpSendAddrs attribute set 8410 port.
like this:
[common]
DCPSGlobalTransportConfig=$file
DCPSSecurity=1
[domain/4]
DiscoveryConfig=uni_rtps
[rtps_discovery/uni_rtps]
SedpMulticast=0
ResendPeriod=2
SpdpSendAddrs=subscriber's IP:8410
[transport/the_rtps_transport]
transport_type=rtps_udp
use_multicast=0
But, new question is that how to confirm this security function work properly??
When I capture packet by wireshrk, I can see the data not encryped.
I used OpenDDS Messenger security example.

Does phpseclib checking SSH fingerprints?

Long time ago, phpseclib was not checking SSH fingerprints. Does phpseclib now implement checking SSH fingerprints?
phpseclib has always had the ability to check fingerprints via the $ssh->getServerPublicHostKey() method. That method verifies that the host key is valid for the host and, if so, returns the host key for you to either save locally (be it to the DB or filesystem or whatever) or to check against the host key that you already have on file.
phpseclib has had this since the first release (0.1.0), which was over 10 years ago:
https://github.com/phpseclib/phpseclib/blob/0.1.0/phpseclib/Net/SSH2.php#L1586
https://github.com/phpseclib/phpseclib/blob/0.1.0/phpseclib/Net/SSH2.php#L745
In the initial release the signature would be checked regardless of whether or not you retrieved the host key. Now, the signature is only checked if you retrieve the host key.
That said, phpseclib's Crypt_RSA class didn't always have a getPublicKeyFingerprint() method:
https://github.com/phpseclib/phpseclib/blob/1.0.10/phpseclib/Crypt/RSA.php#L1850
Maybe that's what you're thinking of but if so that's completely irrelevant. The reason they exist is because of the following scenario:
You connect to a server, get the host public key and create a finger print from that. You call the operator of the server up and check your finger print with them. In the case of a 1024-bit RSA key it's more convenient to read someone 32 hexadecimal characters than it is to read someone 256 hexadecimal characters.
But then again, do you see yourself actually physically calling up the operator of an SSH server anyway?

Security from evil User

My X system uses public key to decrypt a cipher and do some work based on that. But user of the system whom i do not trust has access to the system, cipher and the key.
So what he can do is change the cipher, create another set of keys encrypt using private key and replace the cipher and public key both. So next time system will not know that message has change. I basically do not care if user can read it, my problem is he can not change it, so i thought of a MAC unfortunately that evil user can change the MAC as he has the access to the repository.
Big problem is that user going to always have unlimited access to cipher and the key(s) now how i can secure the whole thing?
Your problem appears to be one of key management. How do client programs obtain the server public key? Do they ask the server directly? Or do they get the server public key from some other independent source? Wouldn't the client become suspicious if the public key changed one day without notice?

Eucalyptus: getting private key from key pair through API / or injecting custom public key to instance

I'm probably having the most simple problem, but I'm still a bit at my wits end. Basically my problems are related to this command:
euca-run-instances -k mykey emi-104915A8
As you know, when starting up instance in Eucalyptus, either through API (as I actually am) or with the command above, the key pair has to be created. If I have understood right, eucalyptus injects the public key of that key pair to the instance. Now there's a method in API (using typica, btw) for creating such a key pair, but I believe when using that it's not possible to get the private key, which I would be needing, since I'd like to do some administrative stuff from external application.
So is it possible to get private keys through eucalyptus api? Or have you managed to find a good solution for injecting externally generated key pairs to instances? I'm between just making my own images and either fooling around with custom-user parameters, or just making some general key pair and putting that straight to image.
I'm just fooling around with Eucalyptus, and trying to get a hand of it, since I think it's best to get to know this cloud concept by trying to implement something on top of it :)
There is not much that can be done in this matter using Typica. I recommend creating the keypair by ssh-ing into the Cloud Controller and creating the keypair by euca-create-keypair command (all this through JAVA). You will get the private key as the output of the command. Save it into a file and carry on.
All the best !!!