On 31 Aug 22:35, Chris G wrote:
On Sun, Aug 31, 2008 at 10:26:32PM +0100, Jonathan McDowell wrote:
On Sun, Aug 31, 2008 at 10:17:55PM +0100, Chris G wrote:
You can connect with ssh using *password* authentication from anywhere but using public key authentication I think ssh needs to verify that the client is the host expected.
By default an SSH public key works from anywhere. You *can* tie it down with 'from="pattern-list"' to only allow a key to be used from specific host(s), but without that all the distros/OSes I've used seem to default to access from anywhere.
I'm confused but I have also just tried an experiment.
I have connected out to a system where I have a login which I haven't used for a very long time.
When I connected from my home system (key not changed in a long time) to the remote system I got the following:-
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is b2:a3:b7:0a:0e:c0:d3:5c:2a:b3:69:bb:50:47:13:4e. Please contact your system administrator. Add correct host key in /home/chris/.ssh/known_hosts to get rid of this message. Offending key in /home/chris/.ssh/known_hosts:9 RSA host key for cheddar.halon.org.uk has changed and you have requested strict checking. Host key verification failed.OK, that's not a surprise as the remote system has changed it's key since I last connected.
Unsuprising as it probably had a blacklisted key...
I then fixed the above problem by removing the remote system's entry from my /home/chris/.ssh/known_hosts, then I logged in successfully with the following warning:-
The authenticity of host 'cheddar.halon.org.uk (195.177.253.180)' can't be established. RSA key fingerprint is b2:a3:b7:0a:0e:c0:d3:5c:2a:b3:69:bb:50:47:13:4e. Are you sure you want to continue connecting (yes/no)? yes... and logged in successfully.
Well done, so you're in the remote machines authorized_keys file. Congrats.
*Then* I tried logging in back from the remote system to my home system, it just asked for my password, no public key authentication happened at all. I.e. it's *only* from systems listed in my authorized_keys file that public key authentication will happen, otherwise (if it's allowed) you just get password authentication.
*sigh* - right - had you added that machines ~/.ssh/id_rsa.pub to your local authorized_keys? no. So I don't expect that to work. Also, it will only ask you for a password *if* the system you are logging in to has that authentication method (it's easily turned off so that you end up with key only auth). If password/pam/Keyboard Interactive are all turned off, it will not ask for a password. It's only from *KEYS* listed in your authorized_keys file that access is allowed. *KEYS* can be copied between systems. *KEYS* are not tied to a particular system. *KEYS* are generated with a default comment of user@host with user set to the user that generated them and host set to the host of the machine they were generated on. Host *KEYS* and user *KEYS* are seperate, one identified the remote system, one identifies the remote user. ALL of this is documented in the man pages.