Trying to ssh into one server from two different networks results in two different RSA fingerprints

1

An attempt to connect to the remote server effingham.dreamhost.com via ssh from my company's network resulted in ssh giving an error about an RSA fingerprint mismatch, so I investigated and found that if I connected to the server via my mobile's carrier network everything went fine.

Following is the correct effingham.dreamhost.com RSA fingerprint as reported by Dreamhost.

The correct effingham fingerprint as reported by dreamhost

Indeed, connecting to the server using my mobile's carrier network, the keys match.

# ssh -o FingerprintHash=md5 effingham.dreamhost.com
The authenticity of host 'effingham.dreamhost.com (208.113.186.1)' can't be established.
RSA key fingerprint is MD5:90:8e:91:ac:f5:8c:9b:31:0c:5e:5e:8c:9c:b7:12:72.
Are you sure you want to continue connecting (yes/no)?

However, if I switch to my company's network, even though the IP address is the same as in the previous example, the keys don't match.

# ssh -o FingerprintHash=md5 effingham.dreamhost.com
The authenticity of host 'effingham.dreamhost.com (208.113.186.1)' can't be established.
RSA key fingerprint is MD5:fb:58:8d:e7:47:b6:b4:32:79:b9:da:12:87:23:33:cc.
Are you sure you want to continue connecting (yes/no)?

I'm ignorant to what might be going on here. It's my understanding that it cannot be DNS hijacking, as it requires the IP addresses to be different. Is that correct? If so, what could be the cause of this behaviour, and should I be worried someone might be eavesdropping the connection, or anything similar to that?

Fabio A.

Posted 2016-03-23T09:16:57.397

Reputation: 149

1Does your company use a transparent proxy for other protocols, for example HTTPS ? Could they be redirecting requests to an interception server at the firewall ? – Silas Parker – 2016-03-23T11:22:09.863

They do have rules that block certain traffic going out, which is one of the reasons I was trying to use my dreamhost account as a proxy. I was expecting port 22 on external servers to be blocked, though, not transparently redirected to who-knows-where.

So you say it's possible their firewall is hijacking the connection to another ssh server? Incidentally, I can only log in with password authentication, no shared keys, whilst I can use shared keys with the original server. – Fabio A. – 2016-03-23T13:32:18.253

I tried connecting anyway, and ssh responded with PTY allocation request failed on channel 0. It definitely looks fishy. – Fabio A. – 2016-03-23T13:40:11.413

Answers

1

I suspect your company is redirecting outgoing port 22 TCP connections to a dummy SSH server. It'll probably log the IP making the connection so IT knows who tried to make the request.

As traffic passes through a gateway or firewall device, connections can be blocked or redirected.

You could try reconfiguring your server to run on a higher number port (e.g. 22222) as that may not be blocked, but it would probably be best to just ask your IT to allow SSH for you.

Silas Parker

Posted 2016-03-23T09:16:57.397

Reputation: 136

Asked: 2016-03-23T09:16:57.397

Viewed: 241 times

Active: 2016-03-23T16:22:58.670