| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
can not update known_hosts
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 can not update known_hosts - Aug. 6, '05, 10:08:56 AM
|
|
|
mhovers
Posts: 51
Joined: Oct. 15, '02,
Status: offline
|
I have a new instalation of SFU3.5 on an IMB laptop running XP Pro. I am login in from home that is not on the windows domain specified for the computer. When I ssh -l username outsidemachine, there is a long pause followed by:
The authenticity of host 'shanix.lbl.gov (128.3.15.25)' can't be established.
RSA key fingerprint is 7e:5c:50:0b:6f:33:82:6e:2d:11:7b:15:e0:1b:4e:5d.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/.ssh/known_hosts).
I own .ssh and known_hosts and have the protections wide open.
What do I have to do to get known_hosts updated??
thanks
|
|
|
|
|
RE: can not update known_hosts - Aug. 6, '05, 10:59:17 AM
|
|
|
Rodney
Posts: 3696
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> I own .ssh and known_hosts and have the protections wide open.
If the file and/or directory permissions are "wide open" then this is why
the update will not happen. Permissive permissions create a situation where another
(malicious) user can add to your files. This creates a Trojan Horse situation.
The RSA key fingerprint is server related. So if the server regenerates it's keys
then you will get an alert when you try to connect because there is not a match with
the older fingerprint. So the question would then become: has the server admin actually
regenerated the keys, or is your communication to the server being redirected to
a new "evil" server that may be a password gatherer (as an example). If the client
side files can be changed to supress this alert then you're nailed -- the bad guys win.
The "safest" thing is to remove the ~/.ssh directory and content and let ssh
build it up again. This is assuming that a correct home directory exists for the user in
the user database (i.e. A.D.) as I must always state :-)
Otherwise, the ~/.ssh directory should be mode 700 (rwx------) and the known_hosts
file therein be mode 644 (rw-r--r--). You should also check permissions for any other files in
this directory too.
< Message edited by Rodney -- Aug. 6, '05, 11:01:00 AM >
|
|
|
|
|
RE: can not update known_hosts - Aug. 6, '05, 6:54:32 PM
|
|
|
mhovers
Posts: 51
Joined: Oct. 15, '02,
Status: offline
|
I removed the .ssh dir and did an ssh to the remote system. the same error message followed and no know_hosts was created. I then created a .ssh dir and "chmod 700 .ssh: and created a blank known_hosts and "chmod 644 known_hosts" still the same error message.
So maybe "a correct home directory" does not exist? Im not sure what you meant by: "This is assuming that a correct home directory exists for the user in the user database (i.e. A.D.) as I must always state :-) "
What user database do I need to check?
My home directory on my system exists and all other references to it seem to work fine.
Thanks,
|
|
|
|
|
RE: can not update known_hosts - Aug. 6, '05, 7:36:20 PM
|
|
|
Rodney
Posts: 3696
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> Im not sure what you meant by:
People come along later (even months later) and read many of the topics.
It's sometimes easier to add these comments now then later :-)
Anyway, even if you have the env var HOME set and you are in a directory, it
may not be your home directory as listed in the user database. When you run
the "finger -l" (small ell) command your home directory will be listed
as it is in the user database. If one is not set in the user database then the
default (as with all Unix systems) is "/" which the regular user should not have
permission to start making directories under. And thus you won't be able to create
a ~/.ssh/known_hosts file.
> What user database do I need to check?
On a standalone XP machine it'll be the "Computer Management" GUI to manage the
local/machine's user database.
> My home directory on my system exists and all other references to it seem to work fine.
err, not based on the information provided. A number of utilities work based on HOME because
of history (such as ftp) and continue to do so for backward compatability. But for programs
needing security the user database can only be spoofed by someone who has gained the right high
privileges, while spoofing HOME is an old & easy trick.
Just as an aside to address a point in the first message:
Anyway, the long pause at the beginning is pretty normal. The whole SSL connection
is getting established and the overhead time because of the speed+distance means
it'll take a little longer than usual; enough that you notice. So there's no worry there.
|
|
|
|
|
RE: can not update known_hosts - Aug. 6, '05, 7:43:47 PM
|
|
|
mhovers
Posts: 51
Joined: Oct. 15, '02,
Status: offline
|
So if finger -l shows that / is my home dir. and I have administrator previlages on this system what do I have to do to allow ssh to create and or fill known_hosts?
|
|
|
|
|
RE: can not update known_hosts - Aug. 6, '05, 8:35:35 PM
|
|
|
Rodney
Posts: 3696
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> what do I have to do
Give the user (even if it is the administrator) a home directory.
Refer to the FAQ for more info on creating a home directory.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
