Usually when you connect to a computer via SSH for the first time you might see a message stating “The authenticity of the host can’t be established Are you sure you want to continue connecting ?” even if you blindly give yes it has a lot of meaning in it. If you’re accessing your workplace computer through SSH just by entering ssh server.workplace.com you can’t be sure the connection is between you and your workplace server. A malicious user tampering with your internet connection can also create a man-in-the-middle attack and find out your Linux user account password. By importing the public key of the host to which you’re connecting you can be sure you’re “talking” to the right person.
The ssh public key is located in location /etc/ssh/ssh_host_dsa.pub /etc/ssh/ssh_host_rsa.pub as the filename suggests the first one uses DSA algorithm and the second one uses RSA algorithm. DSA is generally considered stronger so copy this file to any removable media (CD, DVD, pen drive) or email it as an attachment to yourself. At home (or wherever your SSH client computer is) add this public key to the know_hosts file inside the .ssh folder in your home directory.
cat /media/cdrom/ssh_host_dsa_key.pub >> ~/.ssh/known_hosts
Now the public key is appended into the known_hosts file. You need to specify the host against which this key should be checked. So open the ~/.ssh/known_hosts file and add the hostname and the IP address of the server separated with a comma so now it should look something similar to the following
server.workplace.com 172.16.0.1 ssh-dss AAAAB3NzaC1kc3MAAACBAMEKmebnZTJHcVm29yupJS3+pbnK7YogCmF1DpZS//y2qcSQJ7hcjD6StKPUsi2zQiAEB/F3EZfLx91hVE6IkhVSC82qd1sMRC3vPMzTc3mhMtbBmMVHCnnIn+uXzoXTUSMx+WzGeHbkTWAJ45g01uo2rf050iprWvYx/BY0G+a7AAAAFQDvGSDtp1DEIJtJzTqcAr9I8Bg7ywAAAIEAlwiAlZvHrVePq0QFpTHmL/jdS9x3LkgtuiWX0aKR1aFufCHb+QarcuoGniQyWf7wWUVCpDdPv7nod9nYvK1g4BpkK4Qi44uUZxIS/qYB9G2Rg9+h4kOi2m+PtveHUwTiNuQfLYBEpREjW/81Bb9qN8yeQvxvyXFJ3/PbWQNwYjgAAACAGJINnsnSwN8DlaCyRSOS8JUDV+zCxXhErVtxBPPeSIzlJF0NF39SMAafEdcVK/oZ78XHqoJOi7tnsOMKWteCK7dJNhCYzKekbJO/RbB8Bj76dC5Lvby3mPyYn9i+U5LdzItVRVH2nmaY8V8X+tvtuHsd1ASS3yhEEb+TnXXaRsM=
Now if you try to connect to the host by typing ssh server.workplace.com you’ll encounter the following message
WARNING: DSA key found for host 172.16.0.1
in /username/.ssh/known_hosts:1
DSA key fingerprint 23:21:43:1d:c6:3d:c3:e0:19:0a:4d:3b:52:db:5a:09.
+--[ DSA 1024]----+
| .oEo== |
| +.Oo+= |
| . B B o |
| . * . |
| . . S |
| . . |
| |
| |
| |
+-----------------+
Host key verification failed.
The authenticity of the host can't be established
but keys of different type are already known for this host.
This is because by default ssh command only takes RSA as the default host key algorithm, to overcome this we have two options. This first one is to specify what algorithm to use ion the ssh command itself.
ssh -o HostKeyAlgorithms=ssh-dsa server.workplace.com
The second one is to to manually add DSA in the ssh_config file so that the ssh command uses DSA now.
vi /etc/ssh/ssh_config
and add the line
HostKeyAlgorithms ssh-dss
if you do not have permissions to edit /etc/ssh/ssh_config file create a file ~/.ssh/config and add the configuration line.
Now you can be sure you’re connecting to the correct host each time.
Leave a Reply