Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: ssh Keys  (Read 6572 times)

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
ssh Keys
« on: February 01, 2018, 02:51:28 PM »

If you have some up to date' ish Linux Live CD's could you look in /etc/ssh/   to see if there are pre-installed ssh keys in there please.

I have noticed on PCLinuxOS live CD's there are about 10 or 11  :o then they get transferred over when you do a install to the hard drive.
Just wonder why they are there.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

petef

  • Reg Member
  • ***
  • Posts: 135
Re: ssh Keys
« Reply #1 on: February 01, 2018, 08:17:32 PM »

Nothing there on my recently installed Arch Linux, nor on the live CD.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Keys
« Reply #2 on: February 02, 2018, 02:53:03 PM »

Interesting, I will see if I get anymore replies before I decide to remove them or not.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: ssh Keys
« Reply #3 on: February 02, 2018, 04:20:22 PM »

I don't know about live CDs, but Debian doesn't install any SSH keys by default.
Logged
  Eric

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: ssh Keys
« Reply #4 on: February 02, 2018, 05:26:01 PM »

I can't help with your original query but make a suggestion that you move then from the directory and then see if any protocol or utility fails to operate?
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Keys
« Reply #5 on: February 02, 2018, 05:42:40 PM »

@ roseway it seems odd they are on the live cd, I did not get a very good response when I suggested the developer had forgot to remove them or was it a backdoor .  :blush:

@ Mr cat  yes good idea I will park them in a dead end directory and run a few tests.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

22over7

  • Reg Member
  • ***
  • Posts: 101
Re: ssh Keys
« Reply #6 on: February 02, 2018, 07:28:13 PM »

I think you might find that if/when you ssh into the machine, there will some palavar about whether you're quite sure you really want to login there.  Aren't the keys there to  identify the machine?   

I'm not sure when they get setup, but I'm pretty sure it shouldn't be when you install the operating system off an iso. Maybe when/if you install a ssh server, or first try to ssh in.
Logged

petef

  • Reg Member
  • ***
  • Posts: 135
Re: ssh Keys
« Reply #7 on: February 04, 2018, 02:07:37 PM »

@tickmike what keys are present? Public or private? Passphrase protected? What pathnames?
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Keys
« Reply #8 on: February 06, 2018, 02:25:33 PM »

Yes possibly to identify the machine.

All below have there 'Private' pair

ssh_host_rsa_key.pub
ssh_host_ed25519_key.pub
ssh_host_ecdsa_key.pub
ssh_host_dsa_key.pub
ssh_host_key.pub

Also
moduli
ssh_config
sshd_config
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

petef

  • Reg Member
  • ***
  • Posts: 135
Re: ssh Keys
« Reply #9 on: February 06, 2018, 07:31:05 PM »

Those files are generated during installation of an ssh server. If you have installed that yourself and the dates look okay then all is fine. If the files came from the install medium you would do well to regenerate them.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Host Keys
« Reply #10 on: February 06, 2018, 09:12:23 PM »

The dates all seem to be about 2012  ???
This is a 11/2017 iso burnt Live CD. !

Just looking on the Live CD and they are they same dates :o they would be as they came from the same Live CD , so all the machines I have loaded this Distro on all have the identical ssh ident files, great, no wounder I am having lots of connection problems. Thanks PCLinuxOS .

« Last Edit: February 06, 2018, 09:29:02 PM by tickmike »
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

petef

  • Reg Member
  • ***
  • Posts: 135
Re: ssh Keys
« Reply #11 on: February 06, 2018, 11:35:53 PM »

https://www.ssh.com/ssh/host-key
HOST KEYS SHOULD BE UNIQUE
Each host (i.e., computer) should have a unique host key. Sharing host keys is strongly not recommended, and can result in vulnerability to man-in-the-middle attacks.


@tickmike you should regenerate the keys on the hosts on which you have installed PCLinuxOS. Then submit a security bug report to them.

That is assuming you are using an official PCLinuxOS release. One characteristic of that distro is that it easy to produce your own Live ISOs.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Keys
« Reply #12 on: February 07, 2018, 10:57:33 AM »

Thanks , I spent some time last night re-doing the keys for 3 machines and more to do, I first removed the old keys then I used 'ssh-keygen' to generate new keys, give them the correct names and set the correct permissions.
Removed the old idents in 'known-hosts'.

I will send another 'security bug report to them' again. (See my comment in a post 5 above).
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

petef

  • Reg Member
  • ***
  • Posts: 135
Re: ssh Keys
« Reply #13 on: February 07, 2018, 01:37:03 PM »

I will send another 'security bug report to them' again. (See my comment in a post 5 above).

It is not a backdoor and the risk of an exploit is very low. It would affect a client which logged into one of your afflicted servers. A MITM attack would first need to get onto your network and spoof the server. When ssh is properly configured the client would notice that the server had changed because of its key signature. This PCLinuxOS bug breaks that safeguard.

The bug itself is not severe but it indicates a sloppy attitude to security. I would wonder what else might be awry.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: ssh Keys
« Reply #14 on: February 07, 2018, 02:19:35 PM »

Thanks, do you work on networks ?.

Do you know if there is a way to re-generate the 'ssh-config' and 'sshd-config' files.

Is it worth re-generating the 'SSH moduli' file ?   https://entropux.net/article/openssh-moduli/
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.
Pages: [1] 2