1

x2goclient (on Windows) shows a different ssh host key hash than the output of ssh-keygen -lf /etc/ssh/ssh_host_key_$cypher_ley.pub -E md5 on the host. Connecting with other ssh clients from the same machine works fine (x2goclient comes with own ssh client).

Interestingly, connecting to different hosts produces different (wrong) host keys. I say interestingly, because I'd imagine a man-in-the-middle attempt to use the same middle-host.

PyHoca (the alternative x2go client) reports the right host keys, but it has strange fatal errors about an invalid EC key when connecting to one host (using pubkey auth), and not being able to find user's home directory with another host (using password auth). Again, connecting to any of these hosts works fine with other ssh clients.

I'm mentioning PyHoca, because, while I initially presumed that it was under-maintained and broken, maybe something more nefarious is taking place. Both of these projects are hosted under https://code.x2go.org

Windows x2goclient version is the latest one (4.1.2.0-2018.06.22) downloaded from the official site. Provided sha1 hash matches.

Is there a non-malicious explanation? Care to suggest next steps?

Dominykas Mostauskis
  • 499
  • 5
  • 7
  • There are many non-malicious explanations, the simplest being a bug in the code. –  Nov 06 '19 at 14:43
  • @MechMK1 is that plausible, given that the release is one and a half years old? – Dominykas Mostauskis Nov 06 '19 at 15:12
  • I can't vouch for the plausibility of bugs in a project I don't use, but it seems possible that the client interprets the fingerprint wrong (e.g. picks the wrong algorithm). That's just a guess though –  Nov 06 '19 at 15:19
  • There are several keys (ECDSA, RSA, ED25519...) that could be used to authentify he remote server, and different algorithms that might be used for generating the fingerprint. It will _probably_ match a different combination. – Ángel Nov 07 '19 at 00:45
  • @Ángel I checked against all the host_keys, and I presumed that the fingerprint was in md5. Is there another hash algo that produces md5-looking fingerprints? – Dominykas Mostauskis Nov 08 '19 at 09:51

1 Answers1

1

Well, somehow x2goclient is using sha1 shown as hex. It's not that simple to print your fingerprint in sha1 hex format (default is base64) but you can do it with this command:

awk '{print $2}' ~/.ssh/id_xxx.pub | openssl base64 -d -A | openssl sha1

The solution is taken from another forum

https://serverfault.com/questions/775155/getting-sha1-digest-of-ssh-public-key

Don't forget to check all *.pub files. For centos ssh folder is located at /etc/ssh. Similar problem is also on aws (you can see that the sha1 fingeprint is longer - 160bit in comparison with 128bit):

https://serverfault.com/questions/603982/why-does-my-openssh-key-fingerprint-not-match-the-aws-ec2-console-keypair-finger

script to go over all .pub files (modify for your machine):

cd /etc/ssh
for file in *sa_key.pub
do   awk '{print $2}' $file | openssl base64 -d -A | openssl sha1
done
Kvader
  • 11
  • 1