golang/crypto: DSS key no longer works - go

I'm using an SFTP with my service to download some files which are integral to our functionality.
After this commit to the golang/x/crypto packgae, my key no longer works.
Considering the commit message, ssh: reject unsupported DSA key sizes, it would seem that the key now breaks that new validation. However, the error I get is ssh: no key found.
The key is read from $ ssh-keyscan euftp.morningstar.com, so I'm puzzled if it's not valid.
This is the public DSS / DSA key I'm using:
euftp.morningstar.com ssh-dss AAAAB3NzaC1kc3MAAAEBAJgHdansQ87KIX8tEj8U0tEIUpU0UJ98V/A8hF+Fv/F2zX7yq7zOQrg+RKd2M4OJPaYZ+KVF4o5XmGe3cGNggBZTUaIhYIVhjRw4EAjyf/CmLDso1sWy48GUXoapBVbzMxVzs4xkeHN4UJgsHvANKo5PFIC/A4hNPy9AxbqlS2h4pg3/Ritzz70y0wP6f6y3h60MK87UEayGms6FbdYmGf/DGXljRsVrEBZYyrEj7oPEUpH07y2+XeYRpyeG+2llstMRF6xuaq088zLT//q3cv+jprTNT9T+iVI2Q2diy69DQeOO8mp2YZgTrGP9t048W7/Ps1zEEL1uj/dWS3XG6McAAAAVAIQP+o3wCWe+twgSY3Qk0SIvH1ndAAABAHwQNTLdSr0HDhBnVi3EPx1+PdKeHGt5L+jauZO3pq/8Ja4vNX26sraeEWjeLbW5ipEzkXlvX3VG+PCOs6XtNI6HojC3T0lulwLqEH5jBtAAyAuP2Ec3lYw9PldGGzsSx7gW6BaUKVqQnQW+27Kxtcyh1ti80dz/jI1//iapV5HAyrOjeHKjSdrsSeJ6VJ6eTDWDDcpChzhhdp9L66C90emv6rNNjwO/YVzUaNgaISgnCVnoQoHNj23rc8ihumMcDoNmh+u4xXcfS3HLGaNByS4GwMGMDR5KYFK2CbL5BLUW7HPTSTORvhsU+28rkeOsQCfZiReRC8re8Hwep5qNrkkAAAEACCrGotD2kLVfEbEpFrvqvzVkAolBet11rrPBxOS+UvL1UK5nsO4i179iSrFrl9DH9D1U4qVjGmKZxhPPtWRLSf/8h7bCYzcgdmK+U7o6XbUoHGnvW7pGktrMXSlGkF37Rk4OV9zTmUDb/kPxqGAl1BxNXcU7XDCSoZLXzPMyzTT+ezgfaSzGMWZTXKJFXHNffo8e8h+DijQiLOhVUU8RYbAh0C7dZgu4l9+lgO+yX711IFixoeuf8ahET90/IogLnMsQevsrzQzb6aXXe2daIDIHxPWJ1m+erxCHKZoCWAQeG5MSMjvSQup70WGiDa/6AXEldlcFf96Y8npLiO9Y4A==
Regardless of what the core issue is (although I really want to know), I'm in dire need of a solution. How can I create SSH connections again for this key?

Related

How to actually connect to my vps via Chromebook

I've been trying for a while now to connect to my Digital Ocean VPS via my Chromebook. This is for development when away from my desktop.
I'd prefer to use mosh so I've tried downloading mosh and using it. Then I try using Secure Shell and that's beyond me.
Here's a few pictures to show the problems I'm having:
I also insert my rsa private key into the 'add ssh key' popup.
But then I get the problem seen above? I dont have a passphrase but if I hit enter I get an error:
ssh authentication failed: Access denied. Authentication that can continue: publickey
SSH Login failed.
Mosh has exited.
Press "x" to close the window.
Now I'm sure there's an easy way to do this but after working through a heap of how-to pages I still can't get anywhere.
Any help would be amazing.
The error is explaining the problem, it want's your public key, not your private key.
ssh authentication failed: Access denied. Authentication that can continue: publickey
You're only ever supposed to give your remote hosts your public RSA key.
So the problem was that I was using my private key generated through PuttyGen on Windows. I needed to export this in a linux format before I could use it. After that I just did what I recorded above and it worked.
If anyone is keen on learning how to do this and are beginners to the whole thing like me then I'm going to be putting a guide up on my website: finbarmaunsell.com

How to manually generate the fingerprint of PuTTY's cached host keys?

I'm currently working on a wrapper app for PuTTY and trying to find a way how to store the host keys inside my app, as I want it to be portable.
The basic idea: By using plink and prepending echo y | I would force to store the host key in the registry (\Software\SimonTatham\PuTTY\SshHostKeys), read the key and then compute the fingerprint. Then I would store the fingerprint in my app's configuration and undo the changes in the registry. However, I don't know how to compute the fingerprint.
Example:
Connecting with plink gives me this host key fingerprint:
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 256 6e:3e:71:4f:b9:41:e6:09:cf:e1:b8:f4:bd:5a:9e:9b
...
Store key in cache? (y/n)
Choosing "y" will create this registry key:
ssh-ed25519#22:192.168.0.100 0x6e05d2e71d8c86744d27c19ffb96854576cc41c66334d04e93f491023ce42b53,0x1cc99868f5709847f5b0fc1af5d1582b58bed02bc44b73db150cbe0dc09c9c60
What to do with these 2 hex strings to get the fingerprint?

Can't understand ssh system in Heroku

I can't get the system of managing ssh keys.
I want to push application to Heroku, so I tried to push but get error.Here is my log
$ git push heroku master
! Your key with fingerprint bf:f6:ed:14:9d:cd:52:a2:a3:16:b2:e9:b4:f2:bf:ba is not authorized to access warm-samurai-6574.
fatal: The remote end hung up unexpectedly
User#PK /e/examples (master)
$ heroku keys:add
Found existing public key: C:/Users/User/.ssh/id_rsa.pub
Uploading SSH public key C:/Users/User/.ssh/id_rsa.pub
!This key is already in use by another account. Each account must have a unique key.
User#PK /e/examples (master)
$ heroku keys
=== 1 key for denys.medynskyi#gmail.com
ssh-rsa AAAAB3NzaC...etyxYh4Q== User#PK
Every account has own ssh key. So I can push from any computer, because ssh key is pushing to heroku ?
Every application on heroku should have own ssh key or not ?
Basically, your computer has an SSH key. However, the SSH key on it is associated with another Heroku account (different from the one you are using now). Your best bet would be to generate a brand new SSH key and add it to Heroku.
Just make a new SSH key on your machine and upload it to Heroku:
$ ssh-keygen
Make sure to save it as '/Users/User/.ssh/new_id_rsa.pub' when the prompt asks you.
$ heroku keys:add /Users/User/.ssh/new_id_rsa.pub
This should allow you to use Heroku.
As for your other questions: you can push to Heroku from any computer as long as you add the computer's SSH keys through heroku keys:add. And no, every application does not need to have it's own SSH key.
Your computer has an SSH key, but that SSH key is associated with another Heroku account. If you need to use both accounts for different applications on the same computer you should make a new SSH key on your machine and upload it to Heroku:
$ ssh-keygen
Make sure to save it as '/Users/User/.ssh/new_id_rsa.pub' when the prompt asks you.
$ heroku keys:add /Users/User/.ssh/new_id_rsa.pub
You then need to add another host to your ~/.ssh/config:
Host heroku-alt
HostName heroku.com
IdentityFile ~/.ssh/new_id_rsa
And then update the .git/config in your project to use the host alias:
[remote "heroku"]
url = git#heroku-alt:myapp.git
fetch = +refs/heads/*:refs/remotes/heroku/*
By choosing between heroku and heroku-alt in the remote of the .git/config files of specific projects you can manage which projects use which credentials.
Heroku requires an SSH key to be unique to an account. Two accounts cannot have the same ssh key.
You can do ONE of these to solve your issue:
Unlink the ssh key from the other heroku account. Chances are you are not using that account. This is path of least resistance.
Delete the existing keys. Generate a new ssh public/private key pair. Advantage is you will retain the default name for keys and thus it will be automatically found by any application you use.
Generate a new ssh public/private key pair and save it alongside your existing keys. The disadvantage is, these two keys will have a custom name. If you end up using these keys often, you will need to locally set configure ssh to use these instead of the default id_rsa. This does require some work and might get involved.
Which you choose really depends on you.
If you choose the third option, refer this answer https://superuser.com/a/272613/25665 for how to configure ssh locally to always use the new keys for heroku. In case you are wondering why bother with this, well, you will be interacting with heroku by pushing to a git repository. That requires you to be authenticated using ssh. By default it will use the older keys and you wont be able to push. Its just easier to instead tell ssh to use the alternate key when interacting with warm-samurai-6574.heroku.com
The following link has instructions on creating a new key. You will need to either accept the default names or give custom ones depending on which option you chose.
https://devcenter.heroku.com/articles/keys
Can you push from any computer?
Again, it depends. If the computer has your ssh keys and its configured to use your keys for the heroku domain, then yes. You can instead choose to not copy your keys there and simply add the ssh keys present there to your heroku account.
Does each app require a unique key?
No. You can have multiple apps under one heroku account. They all will share the keys you upload to your heroku account.
Let me see if I understand this correctly.
Most of the replies are agree on that the ssh keys we are using for git identifies the computer, because the suggestion they made is to regenerate the key on the other computer and upload it to Heroku.
From my point of view the SSH key should identify me as a developer of the app, and this is what creates the confusion. This means I have to bring my private and public keys with me and use it on any computer I use which can be accomplished with a pendrive or something similar.
So my suggestion is: copy your public and private keys with you, put them in the computer you want to use for pushing to Heroku and protect your private key with a password.

PuTTY Security Alert - What does key fingerprint mean?

I have another question to security in the web world.
So I read (and ask :P) about certificates and think I got what it is and how it works. My next question is putty specific. When I open a connection with putty to a new server with ssh (port: 22) I get a PuTTY Security Alert:
The server's host key is not chacked in the registry. You have to guarantee that the server is the computer you think it is.
The server's xxxx key fingerprint is:
yyyyyyyyyyyyyyyyyyyyyyyyyyy
If you trust this host, hit Yes... etc.
Now I am wondering what a key fingerprint means.
Is that just a certificate which putty hasn't in is cache yet?
thanks.
SCBoy
Those are the first bytes of the server certificate public key. The idea is that the key is a random number, so the first bytes are random too and therefore knowing that those first bytes are the same for two keys would likely mean that the keys are actually the same.
You can use this to validate the server. You could for example call the administrator of that server and ask him for the fingerprint of the key to validate that it's indeed the key of that server, not some man-in-the-middle server belonging to a malicious party.

Automating terminal login with DSA key

How would I go about doing this on the terminal?
sftp then asks me for a password. how do I include my DSA key so that I do not have to use the password?
As sftp uses SSH protocol for communication, you may generate private/public key pair using ssh-keygen (read everything their!). Then read this HOWTO about how to transfer your key to remote server. If you need more, read more detailed description of OpenSSH Public Key Authentication.
If you setup your key correctly, and remove SSH server is configured to use key authentication, you will be granted the access without additional password.
If you have ssh-agent running, holding the key to the site, it will handle authentication for you.

Resources