dropbearkey question...

Ed Sutter ed.sutter at alcatel-lucent.com
Wed Apr 17 04:31:07 WST 2013


Found the problem...
In my energetic effort to reduce the size of the server,
I had #undef DROPBEAR_MD5_HMAC
in my options.h file.
With that defined, the fingerprints now match.
All better now.
Sorry for the noise!
Ed
> Ok, more information...
> I see that if I use an ssh client that connects to an ssh server, I do 
> get the expected
> fingerprints.  I also see that if I use the dbclient with the db 
> server I get the
> expected fingerprint.  The problem occurs when I try to use the ssh 
> client to connect
> to the db server.
> Any thoughts?
>
>> I'm confused, so I'd like to re-phrase my question (below) a bit...
>> Assume I start up a dropbear server on a machine (ignore my embedded 
>> case).
>> I do that with the following commands...
>>
>>    dropbearkey -t dss -f dropbear_dss_host_key
>>    dropbearkey -t rsa -f dropbear_rsa_host_key
>>    dropbear -F -r dropbear_rsa_host_key -d dropbear_dss_host_key
>>
>> Now I attempt to connect to this server using ssh and I get the message:
>>
>>    The authenticity of host '135.222.138.20 (135.222.138.20)' can't be
>>    established.
>>    RSA key fingerprint is 
>> c5:36:7f:8c:c8:d6:d6:0c:53:45:61:76:f6:d0:91:4e.
>>    Are you sure you want to continue connecting (yes/no)?
>>
>> Assume I want to be anal and want to verify that I'm *really* 
>> connecting to my server.
>> If I have access to the console of the machine running the server, 
>> then how do I verify
>> that the fingerprint given to me by the client is in fact from the 
>> server that I assume I
>> am connected to?
>>
>> I *thought* I could use "dropbearkey -y dropbear_rsa_host_key" on the 
>> server,
>> and it would give me that same fingerprint as is presented at the 
>> client in the
>> warning message, but that gives me a different fingerprint.
>> What am I doing wrong here or why am I confused?
>>
>> Ed
>>
>>
>>> Hi,
>>> I now have the dropbearkey code integrated into my embedded stuff.
>>> I assume the idea is to call this function each time the server 
>>> starts up.
>>>
>>> Then each time the server starts, future client connections will 
>>> reject the
>>> server connection until $HOME/.ssh/known_hosts is purged of that 
>>> server's
>>> key information.
>>>
>>> Correct so far?
>>> Assuming yes...
>>>
>>> Then, the user of the client has to accept the new credentials based on
>>> the RSA key fingerprint from the server.  So, shouldn't the message 
>>> that
>>> comes out of the client reflect the same fingerprint as that which was
>>> printed when the key was created on the server?
>>>
>>> (mine doesn't)
>>> Ed
>>>
>>
>



More information about the Dropbear mailing list