dropbearkey question...
Ed Sutter
ed.sutter at alcatel-lucent.com
Wed Apr 17 04:14:19 WST 2013
Ok, more information...
I see that if I use an ssh client that connects to an ssh server, I do
get the expected
fingerprints. I also see that if I use the dbclient with the db server
I get the
expected fingerprint. The problem occurs when I try to use the ssh
client to connect
to the db server.
Any thoughts?
> I'm confused, so I'd like to re-phrase my question (below) a bit...
> Assume I start up a dropbear server on a machine (ignore my embedded
> case).
> I do that with the following commands...
>
> dropbearkey -t dss -f dropbear_dss_host_key
> dropbearkey -t rsa -f dropbear_rsa_host_key
> dropbear -F -r dropbear_rsa_host_key -d dropbear_dss_host_key
>
> Now I attempt to connect to this server using ssh and I get the message:
>
> The authenticity of host '135.222.138.20 (135.222.138.20)' can't be
> established.
> RSA key fingerprint is
> c5:36:7f:8c:c8:d6:d6:0c:53:45:61:76:f6:d0:91:4e.
> Are you sure you want to continue connecting (yes/no)?
>
> Assume I want to be anal and want to verify that I'm *really*
> connecting to my server.
> If I have access to the console of the machine running the server,
> then how do I verify
> that the fingerprint given to me by the client is in fact from the
> server that I assume I
> am connected to?
>
> I *thought* I could use "dropbearkey -y dropbear_rsa_host_key" on the
> server,
> and it would give me that same fingerprint as is presented at the
> client in the
> warning message, but that gives me a different fingerprint.
> What am I doing wrong here or why am I confused?
>
> Ed
>
>
>> Hi,
>> I now have the dropbearkey code integrated into my embedded stuff.
>> I assume the idea is to call this function each time the server
>> starts up.
>>
>> Then each time the server starts, future client connections will
>> reject the
>> server connection until $HOME/.ssh/known_hosts is purged of that
>> server's
>> key information.
>>
>> Correct so far?
>> Assuming yes...
>>
>> Then, the user of the client has to accept the new credentials based on
>> the RSA key fingerprint from the server. So, shouldn't the message that
>> comes out of the client reflect the same fingerprint as that which was
>> printed when the key was created on the server?
>>
>> (mine doesn't)
>> Ed
>>
>
More information about the Dropbear
mailing list