Mailing List Archive

SSH Fingerprint
Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit
Re: SSH Fingerprint [ In reply to ]
The fingerprint is a hash of the public key.

What is happening is that the system is deleting the server key pair
every time it gets reset to defaults. With no key, the system generates
a brand new key pair.

Unless you can have the network admin restore the old server key after
resets, you are going to have this issue.

On Thu, Dec 10, 2009 at 4:11 PM, Amit Uttamchandani
<amit.uttam@gmail.com> wrote:
> Hi,
>
> There is a remote box (an embedded system running a proprietary ssh
> server) that I log in to for the first time and it generates a key for
> acceptance. That is all good. However, every time the network admin
> resets the remote box to default configuration the key changes and I
> have to manually edit the host file to remove the old key.
>
> Resetting to default config on the box simply just restores the settings
> to factory defaults.
>
> Is this expected behavior? What defines a fingerprint?
>
> Thanks,
> Amit

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri
Re: SSH Fingerprint [ In reply to ]
Yes, this is the expected behavior, and this is what you want it to do.
When the remote box is reset to a default configuration (I'm assuming this
means the existing files are wiped out, such as restored from a firmware
backup), it loses its key

Now, if you wish, you can save the host keys, public key, and private
keys, from the remote box into a secure location, then you can copy them
back in place on the remote box when it is reset to a default
configuration.

Chris Wood
TravelCenters of America
Shop Systems Linux Administrator
wood.chris@tatravelcenters.com



From: Amit Uttamchandani <amit.uttam@gmail.com>
To: OpenSSH Mailing List <secureshell@securityfocus.com>
Date: 12/14/2009 05:23 PM
Subject: SSH Fingerprint
Sent by: listbounce@securityfocus.com



Hi,

There is a remote box (an embedded system running a proprietary ssh
server) that I log in to for the first time and it generates a key for
acceptance. That is all good. However, every time the network admin
resets the remote box to default configuration the key changes and I
have to manually edit the host file to remove the old key.

Resetting to default config on the box simply just restores the settings
to factory defaults.

Is this expected behavior? What defines a fingerprint?

Thanks,
Amit
Re: SSH Fingerprint [ In reply to ]
And there is a reason for the madness: To prevent man in the middle
attacks. Once you've accepted the key, if it ever changes (on a "normal"
system) that could very well indicate a man-in-the-middle attack.

Peter
--
Peter Valdemar Mørch
http://www.morch.com
Re: SSH Fingerprint [ In reply to ]
On Tue, Dec 15, 2009 at 10:54:14AM +0100, "Peter Valdemar Mørch (Lists)" wrote:
> And there is a reason for the madness: To prevent man in the middle
> attacks. Once you've accepted the key, if it ever changes (on a
> "normal" system) that could very well indicate a man-in-the-middle
> attack.
>

That makes sense. I guess I was confused with the term fingerprint. I
thought in the normal sense a fingerprint is unique and would never
change (thinking of human fingerprints).

Thanks for clarifying and thanks to others that replied.

Amit