Stamattina non riesco più a stabilire una connessione SSH con un server in cui ho lavorato l’ultima volta un po’ di tempo fa. Facciamo che questo host si chiami web.mysecretserver.it come FQNS.
Anche oggi ho la mia occasione per sentirmi stupido.
Sommario
Primo tentativo
Al primo tentativo il protocollo mi dice che non ha trovato tra quelli a disposizione del client, alcun metodo di scambio chiavi crittografiche supportate dal server:
$ ssh web.mysecretserver.it Unable to negotiate with 184.17.4.115 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Secondo tentativo
Ho quindi specificato uno degli algoritmi supportati dal server
$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 web.mysecretserver.it Unable to negotiate with 184.17.4.115 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
ma stavolta i tipi di chiave supportati dal server sono diversi da quelli a mia disposizione (è inutile: ho una versione client di SSH molto più aggiornata del vecchio mysecretserver).
Terzo tentativo
Specifico allora un tipo di chiave supportato dal server:
$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 -c ssh-dss -oHostKeyAlgorithms=+ssh-dss web.mysecretserver.it Unknown cipher type 'ssh-dss'
Non serve specificare la cifratura (ssh-dss), basta il parametro -oHostKeyAlgorithms.
Quarto tentativo
$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-dss web.mysecretserver.it @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the DSA key sent by the remote host is SHA256:iDMXs5dTRKtmP9VpVRtuPpJ1/bMja3ZSLnwuuEz5jAo. Please contact your system administrator. Add correct host key in /home/marcob/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/marcob/.ssh/known_hosts:23 remove with: ssh-keygen -f "/home/marcob/.ssh/known_hosts" -R "web.mysecretserver.it" Host key for web.mysecretserver.it has changed and you have requested strict checking. Host key verification failed.
Ci siamo! Stavolta la connessione è possibile solo che la chiave dell’host è cambiata rispetto a quella contenuta nel mio portachiavi. Quindi
Elimino l’host
Aggiorno il file .ssh/known_hosts togliendo la chiave dell’host desiderato (il programma crea atuonomamente una copia di backup).
$ ssh-keygen -f "/home/marcob/.ssh/known_hosts" -R "web.mysecretserver.it" # Host web.mysecretserver.it found: line 23 /home/marcob/.ssh/known_hosts updated. Original contents retained as /home/marcob/.ssh/known_hosts.old
Trovo la soluzione
Dopo aver eliminato il vecchio host, il server SSH mi presenta il suo fingerprint (l’impronta) e mi chiede se sono disposto a fidarmi:
$ ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-dss web.mysecretserver.it
The authenticity of host 'web.mysecretserver.it (184.17.4.115)' can't be established.
DSA key fingerprint is SHA256:iDMXs5dTRKtmP9VpVRtuPpJ1/bMja3ZSLnwuuEz5jAo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'web.mysecretserver.it' (DSA) to the list of known hosts.
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
(webportal@web.mysecretserver.it) Password:
Last login: Wed Nov 16 10:13:25 2022 from az931356.mysecretserver.it
-bash-3.2$
Eureka!
Ultima chicca: mettere tutte queste opzioni in un file di configurazione per accorciare il comando:
$ nano .ssh/config Host websecret Hostname web.mysecretserver.it User webuser HostKeyAlgorithms=+ssh-dss KexAlgorithms=diffie-hellman-group-exchange-sha1 $
Quindi posso collegarmi senza dover ricordare tutto lo stringone, semplicemente con:
$ ssh websecret
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
(webuser@web.mysecretserver.it) Password:
Last login: Wed Nov 16 15:35:22 2022 from 10.196.82.233
-bash-3.2$
Voilà.
Commenti recenti