Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 843
  • Last Modified:

.ssh directory on AIX 5.3

I have a user that does not have the .ssh under his profile.  Is there a way to create by default and have know_hosts in the .ssh directory.  I do not want to just execute mkdir .ssh and then touch known_hosts.  Is there a better way to create .ssh? I have a few other users; the .ssh was created automatically. Thanks.
0
AIX25
Asked:
AIX25
  • 6
  • 4
2 Solutions
 
woolmilkporcCommented:
Hi,

nice to meet you!

It's absolutely no problem to create the .ssh subdirectory using mkdir.

Just take care to set its permissions as 700.

The known_hosts file will be created automatically the first time a host key has to be added. If you prefer creating it manually, set permissions as 644.

If you don't want to acknowledge the adding of a host key each time a new host is accessed, you can copy the known_hosts file of another user, if your security policy would allow that.

Cheers

wmp


0
 
woolmilkporcCommented:
... if you really, really don't want to use mkdir - ssh-keygen will create the .ssh subdirectory! You must be logged in as the concerned user, or (what I forgot to mention above) - the owner of the newly created .ssh subdirectory must be set to the user in whose home directory it is going to reside, of course.


0
 
AIX25Author Commented:
ssh-keygen will create .ssh only?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
AIX25Author Commented:
I created .ssh.  Signed out and then signed back in and there is no known_hosts file created? WHat should I do to resolve this?
0
 
woolmilkporcCommented:
Just acces a remote host via ssh. You will be prompted to acknowledge the new host key. After having done that, a new known_hosts file will be there, containing just that one key. By accessing more remote hosts, the file will get filled step-by-step.

All permissions and ownership correct?




0
 
AIX25Author Commented:
I created a RSA key to connect to the remote server and I get this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4e:44:3c:7f:1b:0d:b8:cd:3d:39:57:6f:4b:b9:89:a8.
Please contact your system administrator.
Add correct host key in /data/db2/db2inst1/.ssh/known_hosts to get rid of this message.
Offending key in /data/db2/db2inst1/.ssh/known_hosts:1
RSA host key for ***.**.**.** has changed and you have requested strict checking.
Host key verification failed.

Because there is no known_hosts file under .ssh directory, I keep getting this error.  I create the rsa.pub key and copied it to another remote server.  Why isnt .ssh getting created on its own with known_hosts? .ssh got created automatically for my username.
0
 
woolmilkporcCommented:
OK,

you didn'tell me that you use strict hostkey checking. This means that a host key cannot be added "on the fly" to your known_hosts file.
If you must stay with strict checking, you'll have to contact the administrator(s) of any remote host you want to access, and ask them to pass you their hostkey, which you then must add manually to your known_hosts file.

Assuming they sent you a file containing the key named 'host1.key' do the following

- login as the concerned user
- 'cd .ssh'
- 'cat /path/to/host1.key >> known_hosts'
- 'chmod 644 known_hosts'

.ssh got created automatically for you when you ran ssh-keygen.
known_hosts only gets created automatically without strict hostkey checking.




0
 
woolmilkporcCommented:
Maybe the man page of ssh_config explains it better:

StrictHostKeyChecking
 If this flag is set to ''yes'', ssh will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the /etc/ssh/ssh_known_hosts file is poorly maintained, or connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to ''no'', ssh will automatically add new host keys to the user known hosts files. If this flag is set to ''ask'', new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be ''yes'', ''no'' or ''ask''. The default is ''ask''.

0
 
AIX25Author Commented:
I have root access to the remote server.  The concerned user did not have a .ssh directory.  I manually created a .ssh directory and created a known_hosts file.  Where do I get the hostkey from the remote server?
0
 
woolmilkporcCommented:
The host key consists of a public/private key pair, just as the users' keys do. The deafult location for the private keys is /etc/ssh.
Their names are ssh_host_key for protocol version 1, and ssh_host_rsa_key and ssh_host_dsa_key for protocol version 2. The public keys have the same names with a suffix '.pub' and are usually left in the same location, but that's not mandatory.
You need one (or all) of the .pub keys, according to protocol version and encryption method.
Transfer the key(s) to your local machine and add them to authorized_keys, as I wrote above.
When using ftp, keep in mind to use 'binary' transfer.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now