Where is ssh-rsa public key? - SSH

This is a discussion on Where is ssh-rsa public key? - SSH ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am used to finding this key in /etc/ssh but on this one box the file permissions are such that I cannot read the public key. Is this some sort of security measure? ANyway, ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Where is ssh-rsa public key?

  1. Where is ssh-rsa public key?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I am used to finding this key in /etc/ssh but on this one box the file
    permissions are such that I cannot read the public key. Is this some
    sort of security measure? ANyway, I already have the DSA fingerprint
    saved, so I can log into the box. Now, I want to manually get/verify
    the RSA fingerprint and save that. Is it possible that the public key
    is stored elsewhere, and the file in /etc/ssh is a dummy file? If so,
    how can I find where it is stored? Or, is the key in /etc/ssh the
    correct key, and the file permissions are restrictive for security, and
    only sshd can read the files or something? Since I can log into the box
    already, can I issue some sort of "ssh localhost" with some extra
    parameters that will request the RSA key instead of using the DSA key,
    and get the fingerprint that way? Or, a setting I can add to my local
    ssh config that will request the RSA key? Thanks.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHypdgbXJbkTtIohwRAlAqAJ4obKnX01c+z0t8+aqVlQ RSsnl08wCgvdDI
    L0sxQvSXVhlwPn47jD0DDt0=
    =Vwgj
    -----END PGP SIGNATURE-----

  2. Re: Where is ssh-rsa public key?

    0h wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > I am used to finding this key in /etc/ssh but on this one box the file
    > permissions are such that I cannot read the public key. Is this some
    > sort of security measure? ANyway, I already have the DSA fingerprint
    > saved, so I can log into the box. Now, I want to manually get/verify
    > the RSA fingerprint and save that. Is it possible that the public key
    > is stored elsewhere, and the file in /etc/ssh is a dummy file? If so,
    > how can I find where it is stored? Or, is the key in /etc/ssh the
    > correct key, and the file permissions are restrictive for security, and
    > only sshd can read the files or something? Since I can log into the box
    > already, can I issue some sort of "ssh localhost" with some extra
    > parameters that will request the RSA key instead of using the DSA key,
    > and get the fingerprint that way? Or, a setting I can add to my local
    > ssh config that will request the RSA key? Thanks.
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.6 (MingW32)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFHypdgbXJbkTtIohwRAlAqAJ4obKnX01c+z0t8+aqVlQ RSsnl08wCgvdDI
    > L0sxQvSXVhlwPn47jD0DDt0=
    > =Vwgj
    > -----END PGP SIGNATURE-----


    You mean the public host keys are not user readable? That sounds like a
    configuration error, not an OpenSSH or SSH security practice. Any successful
    connection via any SSH protocol will normally store the host's public SSH key
    in ~/.ssh/known_hosts, so I don't see why anyone would want to make that more
    restricted.

    Are you *sure* you mean the public keys, and not the private keys (which
    should be private!)

    And yes, running "ssh -1" should use protocol 1 and the appropriate RSA keys.

  3. Re: Where is ssh-rsa public key?

    Nico Kadel-Garcia wrote:

    > And yes, running "ssh -1" should use protocol 1 and the appropriate
    > RSA keys.


    And in case you are looking for the version 2 RSA key: `ssh -o
    HostKeyAlgorithms=ssh-rsa ...`

  4. Re: Where is ssh-rsa public key?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Paul Hink wrote:
    | Nico Kadel-Garcia wrote:
    |
    |> And yes, running "ssh -1" should use protocol 1 and the appropriate
    |> RSA keys.
    |
    | And in case you are looking for the version 2 RSA key: `ssh -o
    | HostKeyAlgorithms=ssh-rsa ...`

    Thanks. This command served my needs.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHz0tabXJbkTtIohwRAqz5AKDS58jczYJqGD9XR1v0Zj QaGFAa5gCZAQv7
    pHFwjOA+hckxj+MVkQYh6P8=
    =hGPi
    -----END PGP SIGNATURE-----

  5. Re: Where is ssh-rsa public key?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Nico Kadel-Garcia wrote:
    | You mean the public host keys are not user readable?

    That's right.

    | cat /etc/ssh/ssh_host*.pub
    cat: cannot open /etc/ssh/ssh_host_dsa_key.pub
    cat: cannot open /etc/ssh/ssh_host_key.pub
    cat: cannot open /etc/ssh/ssh_host_rsa_key.pub

    Strangely, I can read /etc/ssh/ssh_config and /etc/ssh/sshd_config, but
    I couldn't find any setting there that might say where the public keys
    are stored.

    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key

    are defined, though.

    | That sounds like a
    | configuration error, not an OpenSSH or SSH security practice.

    I thought so too. But, the keys are read somehow, because I have to
    verify the fingerprint before logging in.

    | Any
    | successful connection via any SSH protocol will normally store the
    | host's public SSH key in ~/.ssh/known_hosts, so I don't see why anyone
    | would want to make that more restricted.

    And the public keys for this particular box do get saved there after
    I've verified the fingerprint.

    | Are you *sure* you mean the public keys, and not the private keys (which
    | should be private!)

    Yes.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFHz0z4bXJbkTtIohwRArZEAKDVSSOZ8G7kJFXxOWPwPk MGgpq9UQCdEPCf
    fUSSLrSLNvehrPrJ+4+2crE=
    =NfR0
    -----END PGP SIGNATURE-----

  6. Re: Where is ssh-rsa public key?

    0h wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Nico Kadel-Garcia wrote:
    > | You mean the public host keys are not user readable?
    >
    > That's right.
    >
    > | cat /etc/ssh/ssh_host*.pub
    > cat: cannot open /etc/ssh/ssh_host_dsa_key.pub
    > cat: cannot open /etc/ssh/ssh_host_key.pub
    > cat: cannot open /etc/ssh/ssh_host_rsa_key.pub
    >
    > Strangely, I can read /etc/ssh/ssh_config and /etc/ssh/sshd_config, but
    > I couldn't find any setting there that might say where the public keys
    > are stored.
    >
    > HostKey /etc/ssh/ssh_host_rsa_key
    > HostKey /etc/ssh/ssh_host_dsa_key
    >
    > are defined, though.
    >
    > | That sounds like a
    > | configuration error, not an OpenSSH or SSH security practice.
    >
    > I thought so too. But, the keys are read somehow, because I have to
    > verify the fingerprint before logging in.


    Hmm. I think you're getting the public key information transmitted by the
    server, generated from the *private* ssh keys. Do you have the private SSH
    keys for the host?

    And are you possibly connecting to a manually installed SSH daemon that puts
    its SSH keys somewhere else?

    > | Any
    > | successful connection via any SSH protocol will normally store the
    > | host's public SSH key in ~/.ssh/known_hosts, so I don't see why anyone
    > | would want to make that more restricted.
    >
    > And the public keys for this particular box do get saved there after
    > I've verified the fingerprint.
    >
    > | Are you *sure* you mean the public keys, and not the private keys (which
    > | should be private!)
    >
    > Yes.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.6 (MingW32)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFHz0z4bXJbkTtIohwRArZEAKDVSSOZ8G7kJFXxOWPwPk MGgpq9UQCdEPCf
    > fUSSLrSLNvehrPrJ+4+2crE=
    > =NfR0
    > -----END PGP SIGNATURE-----


  7. Re: Where is ssh-rsa public key?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Nico Kadel-Garcia wrote:
    > 0h wrote:
    > Nico Kadel-Garcia wrote:
    > | That sounds like a
    > | configuration error, not an OpenSSH or SSH security practice.
    >
    > I thought so too. But, the keys are read somehow, because I have to
    > verify the fingerprint before logging in.
    >
    >> Hmm. I think you're getting the public key information transmitted by
    >> the server, generated from the *private* ssh keys. Do you have the
    >> private SSH keys for the host?

    >


    No way.

    >> And are you possibly connecting to a manually installed SSH daemon that
    >> puts its SSH keys somewhere else?

    >


    That's my guess, and I've asked the administrator where the keys might
    be. Still waiting for a response on that.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH04W/bXJbkTtIohwRAuu5AJ9H5BjTcArIAFk4Xv1uZvU8HYlAWwCfZA 4d
    4Uqt+eFlkgL0QAsuYwjSNVc=
    =W3LX
    -----END PGP SIGNATURE-----

  8. Re: Where is ssh-rsa public key?

    0h wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Nico Kadel-Garcia wrote:
    >> 0h wrote:
    >> Nico Kadel-Garcia wrote:
    >> | That sounds like a
    >> | configuration error, not an OpenSSH or SSH security practice.
    >>
    >> I thought so too. But, the keys are read somehow, because I have to
    >> verify the fingerprint before logging in.
    >>
    >>> Hmm. I think you're getting the public key information transmitted by
    >>> the server, generated from the *private* ssh keys. Do you have the
    >>> private SSH keys for the host?

    >
    > No way.


    I'm sorry, I was unclear. Do they *exist* at /etc/ssh/.?

    >>> And are you possibly connecting to a manually installed SSH daemon that
    >>> puts its SSH keys somewhere else?

    >
    > That's my guess, and I've asked the administrator where the keys might
    > be. Still waiting for a response on that.
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.6 (MingW32)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFH04W/bXJbkTtIohwRAuu5AJ9H5BjTcArIAFk4Xv1uZvU8HYlAWwCfZA 4d
    > 4Uqt+eFlkgL0QAsuYwjSNVc=
    > =W3LX
    > -----END PGP SIGNATURE-----


+ Reply to Thread