Hello! I have problem with connecting to remote host. I forgot ssh password but I have Fingerprint of the SSH Key. Is it possible to connect with using just fingerprint?
No. The fingerprint of the machine is just used to verify you're connecting the machine your think you're connecting to. It is public information used to avoid Man in the Middle Attacks (MITM) on your SSH session.
Related
I've got an ec2 instance running as an SSH server, and recently needed to restart the instance. Upon restart, clients that were connecting through this SSH server started seeing connection errors related to the SSH fingerprint changing.
Deleting the existing fingerprint from knownhosts resolves the issue. But, is there a way to prevent the server's fingerprint from changing, or persisting the existing fingerprint on restart?
If I ssh into host3.example.com 192.168.1.1, where host2.example.com also resolves to 192.168.1.1, is there any way for the remote machine to tell which hostname was used for the connection?
i.e. Does the ssh protocol send the remote name to the remote machine, like SNI in HTTPS?
(I am running an ssh server from within an application, so I am free to modify the ssh server to provide this information, if ssh clients provide it.)
As far as I know, there is no protocol extension like SNI for SSH. The DNS name (of the server) is not passed to the server by the client. See also this discussion.
Does the remote machine that I will be ssh'ing into require it's own private key to be generated so that I can ssh into it from a local machine.
Yes. It is called Host Key and it needs to exists before you ssh into the machine. It is used to validate the identity of the server and prevent Man in the Middle Attacks.
We have a small office server running Linux Centos for internal use. I can connect to it externally though using Putty with SSH.
Since the server does not have any kind of SSL certificate, is using putty ssh still secure?
Thanks
SSH does not depend on the SSL notion of signed certificate chains. SSH is using encryption, and certificates . You can also use user certificates instead of password based authentication (recommended).
SSH depends on a TOFU (Time of first use) certificate validation. When you connect to the server, it asks you to verify the key. The client then remembers this key. If the server suddenly presents a different key (possibly a man in the middle attack), you will be unable to connect without manual intervention.
I set up an ec2 instance. In the security group, I opened up SSH 'tcp' port 80 for 0.0.0.0/0 (all open for testing purposes). I associated the instance with a private key. I downloaded the key and passed it while ssh-ing, but the RSA isn't authenticating. Any ideas?
ssh -i mykey.pem root#mydnsinfo.amazonaws.com
The authenticity of host 'mydns.amazonaws.com(IP)' can't be established.
RSA key finger print is FINGERPRINT
Are you sure you want to continue connecting (yes/no)?
Thank you in advance!!!
This is normal. Your SSH complains about the unknown host key. It always does when connecting to the new host for the first time. Just answer yes, connect and try again.
It should not complain for the second time.
The private key that you downloaded is for your 'root' account not for the whole host.
Securely configured EC2 instances will include the server SSH key fingerprint in the console output that you can access over SSL before you try to connect over SSH. Then when you connect over SSH you need to make sure the fingerprint matches the console. You MUST do this to be able to securely connect to public EC2 instances.
Public EC2 instances generate new server SSH key on each boot. This means that unless you do what I described above, you will be faced with unknown host key warning a lot, and if you ignore that warning you will be throwing security out of the door; you just never know where you will be connecting to.