Solved

.ssh directory on AIX 5.3

Posted on 2009-07-14
10
807 Views
Last Modified: 2013-11-17
I have a user that does not have the .ssh under his profile.  Is there a way to create by default and have know_hosts in the .ssh directory.  I do not want to just execute mkdir .ssh and then touch known_hosts.  Is there a better way to create .ssh? I have a few other users; the .ssh was created automatically. Thanks.
0
Comment
Question by:AIX25
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24853470
Hi,

nice to meet you!

It's absolutely no problem to create the .ssh subdirectory using mkdir.

Just take care to set its permissions as 700.

The known_hosts file will be created automatically the first time a host key has to be added. If you prefer creating it manually, set permissions as 644.

If you don't want to acknowledge the adding of a host key each time a new host is accessed, you can copy the known_hosts file of another user, if your security policy would allow that.

Cheers

wmp


0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24853507
... if you really, really don't want to use mkdir - ssh-keygen will create the .ssh subdirectory! You must be logged in as the concerned user, or (what I forgot to mention above) - the owner of the newly created .ssh subdirectory must be set to the user in whose home directory it is going to reside, of course.


0
 

Author Comment

by:AIX25
ID: 24853654
ssh-keygen will create .ssh only?
0
 

Author Comment

by:AIX25
ID: 24853708
I created .ssh.  Signed out and then signed back in and there is no known_hosts file created? WHat should I do to resolve this?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24853809
Just acces a remote host via ssh. You will be prompted to acknowledge the new host key. After having done that, a new known_hosts file will be there, containing just that one key. By accessing more remote hosts, the file will get filled step-by-step.

All permissions and ownership correct?




0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:AIX25
ID: 24853846
I created a RSA key to connect to the remote server and I get this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4e:44:3c:7f:1b:0d:b8:cd:3d:39:57:6f:4b:b9:89:a8.
Please contact your system administrator.
Add correct host key in /data/db2/db2inst1/.ssh/known_hosts to get rid of this message.
Offending key in /data/db2/db2inst1/.ssh/known_hosts:1
RSA host key for ***.**.**.** has changed and you have requested strict checking.
Host key verification failed.

Because there is no known_hosts file under .ssh directory, I keep getting this error.  I create the rsa.pub key and copied it to another remote server.  Why isnt .ssh getting created on its own with known_hosts? .ssh got created automatically for my username.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 24853936
OK,

you didn'tell me that you use strict hostkey checking. This means that a host key cannot be added "on the fly" to your known_hosts file.
If you must stay with strict checking, you'll have to contact the administrator(s) of any remote host you want to access, and ask them to pass you their hostkey, which you then must add manually to your known_hosts file.

Assuming they sent you a file containing the key named 'host1.key' do the following

- login as the concerned user
- 'cd .ssh'
- 'cat /path/to/host1.key >> known_hosts'
- 'chmod 644 known_hosts'

.ssh got created automatically for you when you ran ssh-keygen.
known_hosts only gets created automatically without strict hostkey checking.




0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24853987
Maybe the man page of ssh_config explains it better:

StrictHostKeyChecking
 If this flag is set to ''yes'', ssh will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to ''no'', ssh will automatically add new host keys to the user known hosts files. If this flag is set to ''ask'', new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be ''yes'', ''no'' or ''ask''. The default is ''ask''.

0
 

Author Comment

by:AIX25
ID: 24854293
I have root access to the remote server.  The concerned user did not have a .ssh directory.  I manually created a .ssh directory and created a known_hosts file.  Where do I get the hostkey from the remote server?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 24854397
The host key consists of a public/private key pair, just as the users' keys do. The deafult location for the private keys is /etc/ssh.
Their names are ssh_host_key for protocol version 1, and ssh_host_rsa_key and ssh_host_dsa_key for protocol version 2. The public keys have the same names with a suffix '.pub' and are usually left in the same location, but that's not mandatory.
You need one (or all) of the .pub keys, according to protocol version and encryption method.
Transfer the key(s) to your local machine and add them to authorized_keys, as I wrote above.
When using ftp, keep in mind to use 'binary' transfer.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now