神刀安全网

Non-Unique SSH Host Keys Ed25519 on Hetzner

Non-Unique SSH Host Keys Ed25519 on Hetzner Languages:

Deutsch Non-Unique SSH Host Keys Ed25519 on Hetzner English Русский

Inhaltsverzeichnis

  • 1 Security Notice for Ed25519 SSH host keys
  • 2 Affected images
  • 3 Exchange / generation of Ed25519 SSH host keys
  • 4 Further Information

Security Notice for Ed25519 SSH host keys

An SSH server uses host keys to uniquely identify itself to connecting clients. These keys are normally automatically regenerated each time a new installation is done via theRobot or theinstallimage.

Due to an error in the installation software introduced on April 10th, 2015, the Ed25519 SSH host keys (/etc/ssh/ssh_host_ed25519_key) on our standard images were no longer automatically regenerated.

This resulted in identical Ed25519 SSH host keys for each affected OS image.

An attacker may use this to compromise or eavesdrop on the communication between the client and the server using a man-in-the-middle attack.

However, due to the security of our network setup, such an attack within our network is highly unlikely as each server can only directly communicate with the corresponding router.

Nevertheless we would like to urge you to replace the Ed25519 SSH host key of your server as soon as possible. The other host keys (RSA, DSA, ECDSA) are not affected and are unique.

Affected images

  • CentOS-71-64-minimal
  • CentOS-72-64-minimal
  • Debian-80-jessie-64-LAMP
  • Debian-80-jessie-64-minimal
  • Debian-81-jessie-64-LAMP
  • Debian-81-jessie-64-minimal
  • Debian-82-jessie-64-LAMP
  • Debian-82-jessie-64-minimal
  • Ubuntu-1404-trusty-64-minimal
  • Ubuntu-1410-utopic-64-minimal
  • Ubuntu-1504-vivid-64-minimal
  • Ubuntu-1510-wily-64-minimal
  • openSUSE-132-64-minimal
  • openSUSE-421-64-minimal

Exchange / generation of Ed25519 SSH host keys

To replace the affected key, simply use "ssh-keygen" to create a new key and overwrite the existing one.

# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''  Generating public/private ed25519 key pair.  /etc/ssh/ssh_host_ed25519_key already exists.  Overwrite (y/n)? y  Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.  Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.  The key fingerprint is:  d5:1d:28:01:f7:c5:0f:fb:7b:43:07:08:1f:93:1c:c6 root@host  The key's randomart image is:  +--[ED25519 256]--+  |        ..o+o=o  |  |         .o+Eoo. |  |          .+o+.+ |  |         .  o o .|  |        S      o |  |               .o|  |              . o|  |               o.|  |                o|  +-----------------+

In unaffected images or operating systems which have SSH that still does not support Ed25519 keys, an error message is displayed:

# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" unknown key type ed25519

Afterwards, the SSH daemon must be restarted, or the server rebooted to apply the new key. Please note that now when re-connecting to the server, a warning may appear.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is MD5: d5:1d:28:01:f7:c5:0f:fb:7b:43:07:08:1f:93:1c:c6 Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/user/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle  attacks. Permission denied (publickey,password).

If the fingerprint displayed conforms to the previously generated new key, the relevant line can be deleted from the „known_hosts“ file.

Further Information

More general information on SSH can be found under:

原文  http://wiki.hetzner.de/index.php/Ed25519/en

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Non-Unique SSH Host Keys Ed25519 on Hetzner

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮