I'm currently working on a wrapper app for PuTTY and trying to find a way how to store the host keys inside my app, as I want it to be portable.
The basic idea: By using plink and prepending echo y | I would force to store the host key in the registry (\Software\SimonTatham\PuTTY\SshHostKeys), read the key and then compute the fingerprint. Then I would store the fingerprint in my app's configuration and undo the changes in the registry. However, I don't know how to compute the fingerprint.
Example:
Connecting with plink gives me this host key fingerprint:
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 256 6e:3e:71:4f:b9:41:e6:09:cf:e1:b8:f4:bd:5a:9e:9b
...
Store key in cache? (y/n)
Choosing "y" will create this registry key:
ssh-ed25519#22:192.168.0.100 0x6e05d2e71d8c86744d27c19ffb96854576cc41c66334d04e93f491023ce42b53,0x1cc99868f5709847f5b0fc1af5d1582b58bed02bc44b73db150cbe0dc09c9c60
What to do with these 2 hex strings to get the fingerprint?
Related
I'm using an SFTP with my service to download some files which are integral to our functionality.
After this commit to the golang/x/crypto packgae, my key no longer works.
Considering the commit message, ssh: reject unsupported DSA key sizes, it would seem that the key now breaks that new validation. However, the error I get is ssh: no key found.
The key is read from $ ssh-keyscan euftp.morningstar.com, so I'm puzzled if it's not valid.
This is the public DSS / DSA key I'm using:
euftp.morningstar.com ssh-dss AAAAB3NzaC1kc3MAAAEBAJgHdansQ87KIX8tEj8U0tEIUpU0UJ98V/A8hF+Fv/F2zX7yq7zOQrg+RKd2M4OJPaYZ+KVF4o5XmGe3cGNggBZTUaIhYIVhjRw4EAjyf/CmLDso1sWy48GUXoapBVbzMxVzs4xkeHN4UJgsHvANKo5PFIC/A4hNPy9AxbqlS2h4pg3/Ritzz70y0wP6f6y3h60MK87UEayGms6FbdYmGf/DGXljRsVrEBZYyrEj7oPEUpH07y2+XeYRpyeG+2llstMRF6xuaq088zLT//q3cv+jprTNT9T+iVI2Q2diy69DQeOO8mp2YZgTrGP9t048W7/Ps1zEEL1uj/dWS3XG6McAAAAVAIQP+o3wCWe+twgSY3Qk0SIvH1ndAAABAHwQNTLdSr0HDhBnVi3EPx1+PdKeHGt5L+jauZO3pq/8Ja4vNX26sraeEWjeLbW5ipEzkXlvX3VG+PCOs6XtNI6HojC3T0lulwLqEH5jBtAAyAuP2Ec3lYw9PldGGzsSx7gW6BaUKVqQnQW+27Kxtcyh1ti80dz/jI1//iapV5HAyrOjeHKjSdrsSeJ6VJ6eTDWDDcpChzhhdp9L66C90emv6rNNjwO/YVzUaNgaISgnCVnoQoHNj23rc8ihumMcDoNmh+u4xXcfS3HLGaNByS4GwMGMDR5KYFK2CbL5BLUW7HPTSTORvhsU+28rkeOsQCfZiReRC8re8Hwep5qNrkkAAAEACCrGotD2kLVfEbEpFrvqvzVkAolBet11rrPBxOS+UvL1UK5nsO4i179iSrFrl9DH9D1U4qVjGmKZxhPPtWRLSf/8h7bCYzcgdmK+U7o6XbUoHGnvW7pGktrMXSlGkF37Rk4OV9zTmUDb/kPxqGAl1BxNXcU7XDCSoZLXzPMyzTT+ezgfaSzGMWZTXKJFXHNffo8e8h+DijQiLOhVUU8RYbAh0C7dZgu4l9+lgO+yX711IFixoeuf8ahET90/IogLnMsQevsrzQzb6aXXe2daIDIHxPWJ1m+erxCHKZoCWAQeG5MSMjvSQup70WGiDa/6AXEldlcFf96Y8npLiO9Y4A==
Regardless of what the core issue is (although I really want to know), I'm in dire need of a solution. How can I create SSH connections again for this key?
While signing up for Amazon EC2 and enabling ssh, I have to create and download a private key (.pem) and a secret access key.
How are they different? What different functions do they have?
You need to read a good tutorial on SSH, but here is a summary:
The Access Key ID and Secret Access Key are like a username and password. They allow you to "do stuff" on the AWS API using the commandline tools or code you write.
The private key (.pem) is like a password for talking (SSH) to an individual box that you have launched. (i.e. not "AWS itself", but "your box within AWS".) You can have different passwords to different boxes if you want, but most of the time you only need one.
If you know how SSH works, they are just putting down ~/.ssh/known_hosts with the public part of your key, allowing you to log in for the first time. You can change that file later to add more users or rotate your SSH keys.
I have downloaded Sourcetree lately which comes with puttygen, plink and pageant.
I have set up an SSH public and private key, with a non-empty passphrase.
I was prompted for this passphrase when I added the private key to the Pageant key list. However, when I restart my machine and re-open Sourcetree I am re-prompted for this passphrase.
1). Should Pageant or Sourcetree be saving this passphrase, so I am not prompted every time I wish to use Sourcetree?
2). If so, how?
Pageant keeps decrypted key in memory only. It does not save the passphrase or the decrypted key anywhere.
Saving the passphrase would be almost as insecure as saving the key unencrypted. While it would be a solution for you, it's really not recommendable!
Quote from Security considerations section of Pageant documentation:
Using Pageant for public-key authentication gives you the convenience of being able to open multiple SSH sessions without having to type a passphrase every time, but also gives you the security benefit of never storing a decrypted private key on disk. Many people feel this is a good compromise between security and convenience.
It is a compromise, however. Holding your decrypted private keys in Pageant is better than storing them in easy-to-find disk files, but still less secure than not storing them anywhere at all.
I have another question to security in the web world.
So I read (and ask :P) about certificates and think I got what it is and how it works. My next question is putty specific. When I open a connection with putty to a new server with ssh (port: 22) I get a PuTTY Security Alert:
The server's host key is not chacked in the registry. You have to guarantee that the server is the computer you think it is.
The server's xxxx key fingerprint is:
yyyyyyyyyyyyyyyyyyyyyyyyyyy
If you trust this host, hit Yes... etc.
Now I am wondering what a key fingerprint means.
Is that just a certificate which putty hasn't in is cache yet?
thanks.
SCBoy
Those are the first bytes of the server certificate public key. The idea is that the key is a random number, so the first bytes are random too and therefore knowing that those first bytes are the same for two keys would likely mean that the keys are actually the same.
You can use this to validate the server. You could for example call the administrator of that server and ask him for the fingerprint of the key to validate that it's indeed the key of that server, not some man-in-the-middle server belonging to a malicious party.
How would I go about doing this on the terminal?
sftp then asks me for a password. how do I include my DSA key so that I do not have to use the password?
As sftp uses SSH protocol for communication, you may generate private/public key pair using ssh-keygen (read everything their!). Then read this HOWTO about how to transfer your key to remote server. If you need more, read more detailed description of OpenSSH Public Key Authentication.
If you setup your key correctly, and remove SSH server is configured to use key authentication, you will be granted the access without additional password.
If you have ssh-agent running, holding the key to the site, it will handle authentication for you.