IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ssh-host-key]

The SSH host key is an identifier of a SSH / SFTP server.

The SSH host key is a fingerprint to prove the identity of the SSH / SFTP server you are connecting to.

53 questions
26
votes
5 answers

Are duplicate SSH server host keys a problem?

I'm doing an assessment of a small network that is using a good bit of virtualization. They have cloned some of their linux machines after generating their SSH server host keys. So the servers all have the same host key. I'm certain this is bad, but…
user896117
  • 361
  • 1
  • 3
  • 5
14
votes
2 answers

Why are the gitlab SSH host key fingerprints not matching?

I tried to log into my university's gitlab via SSH. As expected, I was warned that the host is not known. Therefore, I tried to find the SSH host key on the "current configuration" page in the manual. However, I found that the key does not match the…
HerpDerpington
  • 225
  • 2
  • 8
13
votes
1 answer

difference between public key and host key and security of host key

In SSH, what is the difference between host key and public key. Public key I believe that is part of private/public key pair, so, that anything sent by server(encrypted using private) can be decrypted by client using public key and anything sent…
prasun
  • 237
  • 2
  • 8
13
votes
1 answer

What is the actual drawback of "CheckHostIP no"?

What are the actual security implications of setting CheckHostIP no in SSH client configuration? There are some discussions about this (eg. https://askubuntu.com/a/48339) and recommendations to set it to yes for extra security (eg.…
oliver
  • 541
  • 4
  • 10
9
votes
3 answers

In what ways does increasing SSH host key length increase security

I have read on a few guides on "how to secure SSH servers" that it is a good thing to increase ServerKeyBits from the default of 768 to 2048. Most of these guides seem to be for the entry level/novice server admin (which I am) to quickly protect…
user2726974
  • 91
  • 1
  • 3
8
votes
2 answers

Why does a SSH server need a host key-pair?

I know that the client needs a client key-pair for client authentication; Clients sends its public key to the Server for it to encrypt a challenge which will be decrypted by the Client to authenticate the Client. I also know that before…
StevenDaGee
  • 83
  • 1
  • 3
7
votes
3 answers

Is it a bad idea to share the ssh host key in a diskless environment?

I am looking at this cluster of student work stations. They are diskless clients which boot from NFS. They also have sshd enabled. All of these machines share the same ssh host key (rsa,dsa,etc), because they boot from NFS. As NFS is not encrypted,…
user46168
6
votes
2 answers

Does `ssh-keyscan` verify the legitimacy of the host(s) it scans?

There are tutorials on the web, such as this one: https://blog.oddbit.com/post/2019-02-24-docker-build-learns-about-secr/ They show you sample code to run ssh-keyscan in an automated manner so that subsequent automation steps that depend on SSH can…
Kal
  • 247
  • 1
  • 6
6
votes
3 answers

Is there any risk from attempting ssh authentication to a rogue server?

Suppose I'm about to connect to a new (unauthenticated to me) server. I've previously provided my ssh public key to the server owner (who populates it in the appropriate authorized_keys file). The server owner can't securely provide me with the host…
jhfrontz
  • 223
  • 1
  • 5
5
votes
2 answers

Risk in connecting wrong ssh host?

I've a ssh host key login setup in a remote server, for some reason, the DNS of that host is mapped to another server. So assume the mistaken host cannot be trusted, should I change my key?
Ryan
  • 467
  • 1
  • 5
  • 13
5
votes
4 answers

How do I crack an id_rsa encrypted private key with john the ripper?

I am trying to crack a password protected id_rsa, with john the ripper. But it doesn't find the correct password for some reason. I have create a new user and generated a new id_rsa with ssh-keygen (the password used is "password"). pwn@kali:~$ ls…
Olivier Lasne
  • 161
  • 1
  • 1
  • 5
5
votes
0 answers

Why am I getting seemingly random fingerprints back when connecting via SSH/SCP?

I manage an application that connects to various servers using a client-specific keypair. We have around 70 customers; all but one can connect to our FTP server (for SCP) after first accepting the RSA fingerprint (which hasn't changed in ~5…
Andrew
  • 51
  • 1
5
votes
2 answers

MITM during legitimate key/fingerprint change

A key/fingerprint change occurred on a friend's server to which I have access. So I text him and ask, "Did you change the certificates?" upon which he answer "Yes". My initial thought is then to update my local fingerprint, but then it occurred to…
forthrin
  • 1,741
  • 1
  • 13
  • 21
4
votes
1 answer

Looking for SSH key management tricks that apply to a large fleet of machines to reduce the 'trust of first use' attack surface?

If you have too many machines and you are nearly always asked about a host key when you connect, it leaves an opening that the first time you connect to a machine it's a security threat, but anytime after that it is not and you need to pay attention…
leeand00
  • 1,297
  • 1
  • 13
  • 21
4
votes
2 answers

Security benefit of hardware backed host keys for OpenSSH

There was recently a "two for the price of one" deal on the Yubikey 4 and now I have too many of them. This got me thinking about things to do with them, more or less useful. Of course I already use the smart card features to secure my SSH CA and my…
Peter
  • 429
  • 3
  • 15
1
2 3 4