dropbearkey question...
Ed Sutter
ed.sutter at alcatel-lucent.com
Wed Apr 17 04:31:07 WST 2013
Found the problem...
In my energetic effort to reduce the size of the server,
I had #undef DROPBEAR_MD5_HMAC
in my options.h file.
With that defined, the fingerprints now match.
All better now.
Sorry for the noise!
Ed
> Ok, more information...
> I see that if I use an ssh client that connects to an ssh server, I do
> get the expected
> fingerprints. I also see that if I use the dbclient with the db
> server I get the
> expected fingerprint. The problem occurs when I try to use the ssh
> client to connect
> to the db server.
> Any thoughts?
>
>> I'm confused, so I'd like to re-phrase my question (below) a bit...
>> Assume I start up a dropbear server on a machine (ignore my embedded
>> case).
>> I do that with the following commands...
>>
>> dropbearkey -t dss -f dropbear_dss_host_key
>> dropbearkey -t rsa -f dropbear_rsa_host_key
>> dropbear -F -r dropbear_rsa_host_key -d dropbear_dss_host_key
>>
>> Now I attempt to connect to this server using ssh and I get the message:
>>
>> The authenticity of host '135.222.138.20 (135.222.138.20)' can't be
>> established.
>> RSA key fingerprint is
>> c5:36:7f:8c:c8:d6:d6:0c:53:45:61:76:f6:d0:91:4e.
>> Are you sure you want to continue connecting (yes/no)?
>>
>> Assume I want to be anal and want to verify that I'm *really*
>> connecting to my server.
>> If I have access to the console of the machine running the server,
>> then how do I verify
>> that the fingerprint given to me by the client is in fact from the
>> server that I assume I
>> am connected to?
>>
>> I *thought* I could use "dropbearkey -y dropbear_rsa_host_key" on the
>> server,
>> and it would give me that same fingerprint as is presented at the
>> client in the
>> warning message, but that gives me a different fingerprint.
>> What am I doing wrong here or why am I confused?
>>
>> Ed
>>
>>
>>> Hi,
>>> I now have the dropbearkey code integrated into my embedded stuff.
>>> I assume the idea is to call this function each time the server
>>> starts up.
>>>
>>> Then each time the server starts, future client connections will
>>> reject the
>>> server connection until $HOME/.ssh/known_hosts is purged of that
>>> server's
>>> key information.
>>>
>>> Correct so far?
>>> Assuming yes...
>>>
>>> Then, the user of the client has to accept the new credentials based on
>>> the RSA key fingerprint from the server. So, shouldn't the message
>>> that
>>> comes out of the client reflect the same fingerprint as that which was
>>> printed when the key was created on the server?
>>>
>>> (mine doesn't)
>>> Ed
>>>
>>
>
More information about the Dropbear
mailing list