On Sun, Aug 31, 2008 at 10:26:32PM +0100, Jonathan McDowell wrote:
On Sun, Aug 31, 2008 at 10:17:55PM +0100, Chris G wrote:
You can connect with ssh using *password* authentication from anywhere but using public key authentication I think ssh needs to verify that the client is the host expected.
By default an SSH public key works from anywhere. You *can* tie it down with 'from="pattern-list"' to only allow a key to be used from specific host(s), but without that all the distros/OSes I've used seem to default to access from anywhere.
I'm confused but I have also just tried an experiment.
I have connected out to a system where I have a login which I haven't used for a very long time.
When I connected from my home system (key not changed in a long time) to the remote system I got the following:-
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is b2:a3:b7:0a:0e:c0:d3:5c:2a:b3:69:bb:50:47:13:4e. Please contact your system administrator. Add correct host key in /home/chris/.ssh/known_hosts to get rid of this message. Offending key in /home/chris/.ssh/known_hosts:9 RSA host key for cheddar.halon.org.uk has changed and you have requested strict checking. Host key verification failed.
OK, that's not a surprise as the remote system has changed it's key since I last connected.
I then fixed the above problem by removing the remote system's entry from my /home/chris/.ssh/known_hosts, then I logged in successfully with the following warning:-
The authenticity of host 'cheddar.halon.org.uk (195.177.253.180)' can't be established. RSA key fingerprint is b2:a3:b7:0a:0e:c0:d3:5c:2a:b3:69:bb:50:47:13:4e. Are you sure you want to continue connecting (yes/no)? yes
... and logged in successfully.
*Then* I tried logging in back from the remote system to my home system, it just asked for my password, no public key authentication happened at all. I.e. it's *only* from systems listed in my authorized_keys file that public key authentication will happen, otherwise (if it's allowed) you just get password authentication.