0h wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am used to finding this key in /etc/ssh but on this one box the file
> permissions are such that I cannot read the public key. Is this some
> sort of security measure? ANyway, I already have the DSA fingerprint
> saved, so I can log into the box. Now, I want to manually get/verify
> the RSA fingerprint and save that. Is it possible that the public key
> is stored elsewhere, and the file in /etc/ssh is a dummy file? If so,
> how can I find where it is stored? Or, is the key in /etc/ssh the
> correct key, and the file permissions are restrictive for security, and
> only sshd can read the files or something? Since I can log into the box
> already, can I issue some sort of "ssh localhost" with some extra
> parameters that will request the RSA key instead of using the DSA key,
> and get the fingerprint that way? Or, a setting I can add to my local
> ssh config that will request the RSA key? Thanks.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHypdgbXJbkTtIohwRAlAqAJ4obKnX01c+z0t8+aqVlQ RSsnl08wCgvdDI
> L0sxQvSXVhlwPn47jD0DDt0=
> =Vwgj
> -----END PGP SIGNATURE-----

You mean the public host keys are not user readable? That sounds like a
configuration error, not an OpenSSH or SSH security practice. Any successful
connection via any SSH protocol will normally store the host's public SSH key
in ~/.ssh/known_hosts, so I don't see why anyone would want to make that more
restricted.

Are you *sure* you mean the public keys, and not the private keys (which
should be private!)

And yes, running "ssh -1" should use protocol 1 and the appropriate RSA keys.

Nico Kadel-Garcia wrote:

> And yes, running "ssh -1" should use protocol 1 and the appropriate
> RSA keys.

And in case you are looking for the version 2 RSA key: `ssh -o
HostKeyAlgorithms=ssh-rsa ...`

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Hink wrote:
| Nico Kadel-Garcia wrote:
|
|> And yes, running "ssh -1" should use protocol 1 and the appropriate
|> RSA keys.
|
| And in case you are looking for the version 2 RSA key: `ssh -o
| HostKeyAlgorithms=ssh-rsa ...`

Thanks. This command served my needs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHz0tabXJbkTtIohwRAqz5AKDS58jczYJqGD9XR1v0Zj QaGFAa5gCZAQv7
pHFwjOA+hckxj+MVkQYh6P8=
=hGPi
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nico Kadel-Garcia wrote:
| You mean the public host keys are not user readable?

That's right.

| cat /etc/ssh/ssh_host*.pub
cat: cannot open /etc/ssh/ssh_host_dsa_key.pub
cat: cannot open /etc/ssh/ssh_host_key.pub
cat: cannot open /etc/ssh/ssh_host_rsa_key.pub

Strangely, I can read /etc/ssh/ssh_config and /etc/ssh/sshd_config, but
I couldn't find any setting there that might say where the public keys
are stored.

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

are defined, though.

| That sounds like a
| configuration error, not an OpenSSH or SSH security practice.

I thought so too. But, the keys are read somehow, because I have to
verify the fingerprint before logging in.

| Any
| successful connection via any SSH protocol will normally store the
| host's public SSH key in ~/.ssh/known_hosts, so I don't see why anyone
| would want to make that more restricted.

And the public keys for this particular box do get saved there after
I've verified the fingerprint.

| Are you *sure* you mean the public keys, and not the private keys (which
| should be private!)

Yes.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHz0z4bXJbkTtIohwRArZEAKDVSSOZ8G7kJFXxOWPwPk MGgpq9UQCdEPCf
fUSSLrSLNvehrPrJ+4+2crE=
=NfR0
-----END PGP SIGNATURE-----

0h wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nico Kadel-Garcia wrote:
> | You mean the public host keys are not user readable?
>
> That's right.
>
> | cat /etc/ssh/ssh_host*.pub
> cat: cannot open /etc/ssh/ssh_host_dsa_key.pub
> cat: cannot open /etc/ssh/ssh_host_key.pub
> cat: cannot open /etc/ssh/ssh_host_rsa_key.pub
>
> Strangely, I can read /etc/ssh/ssh_config and /etc/ssh/sshd_config, but
> I couldn't find any setting there that might say where the public keys
> are stored.
>
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
> are defined, though.
>
> | That sounds like a
> | configuration error, not an OpenSSH or SSH security practice.
>
> I thought so too. But, the keys are read somehow, because I have to
> verify the fingerprint before logging in.

Hmm. I think you're getting the public key information transmitted by the
server, generated from the *private* ssh keys. Do you have the private SSH
keys for the host?

And are you possibly connecting to a manually installed SSH daemon that puts
its SSH keys somewhere else?

> | Any
> | successful connection via any SSH protocol will normally store the
> | host's public SSH key in ~/.ssh/known_hosts, so I don't see why anyone
> | would want to make that more restricted.
>
> And the public keys for this particular box do get saved there after
> I've verified the fingerprint.
>
> | Are you *sure* you mean the public keys, and not the private keys (which
> | should be private!)
>
> Yes.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHz0z4bXJbkTtIohwRArZEAKDVSSOZ8G7kJFXxOWPwPk MGgpq9UQCdEPCf
> fUSSLrSLNvehrPrJ+4+2crE=
> =NfR0
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nico Kadel-Garcia wrote:
> 0h wrote:
> Nico Kadel-Garcia wrote:
> | That sounds like a
> | configuration error, not an OpenSSH or SSH security practice.
>
> I thought so too. But, the keys are read somehow, because I have to
> verify the fingerprint before logging in.
>
>> Hmm. I think you're getting the public key information transmitted by
>> the server, generated from the *private* ssh keys. Do you have the
>> private SSH keys for the host?
>

No way.

>> And are you possibly connecting to a manually installed SSH daemon that
>> puts its SSH keys somewhere else?
>

That's my guess, and I've asked the administrator where the keys might
be. Still waiting for a response on that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH04W/bXJbkTtIohwRAuu5AJ9H5BjTcArIAFk4Xv1uZvU8HYlAWwCfZA 4d
4Uqt+eFlkgL0QAsuYwjSNVc=
=W3LX
-----END PGP SIGNATURE-----

0h wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nico Kadel-Garcia wrote:
>> 0h wrote:
>> Nico Kadel-Garcia wrote:
>> | That sounds like a
>> | configuration error, not an OpenSSH or SSH security practice.
>>
>> I thought so too. But, the keys are read somehow, because I have to
>> verify the fingerprint before logging in.
>>
>>> Hmm. I think you're getting the public key information transmitted by
>>> the server, generated from the *private* ssh keys. Do you have the
>>> private SSH keys for the host?
>
> No way.

I'm sorry, I was unclear. Do they *exist* at /etc/ssh/.?

>>> And are you possibly connecting to a manually installed SSH daemon that
>>> puts its SSH keys somewhere else?
>
> That's my guess, and I've asked the administrator where the keys might
> be. Still waiting for a response on that.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFH04W/bXJbkTtIohwRAuu5AJ9H5BjTcArIAFk4Xv1uZvU8HYlAWwCfZA 4d
> 4Uqt+eFlkgL0QAsuYwjSNVc=
> =W3LX
> -----END PGP SIGNATURE-----