Understanding SSH Host Keys
Vložit
- čas přidán 25. 03. 2023
- Describing what SSH host keys are, what they are used for, and what actually happened when GitHub rotated their RSA SSH host key.
GitHub: github.com/sudomateo
LinkedIn: / sudomateo
Twitter: / sudomateo - Věda a technologie
Very interesting explanation 🙏 thanks.
I confirm: "Part of being a great Engineer, is knowing your tools and how to use them."
If you like that you might like some of the videos I collaborated on with my friend: czcams.com/video/I7xqY-YxtbY/video.html
That is very well explained, I learned a lot from this video than I expected 🔥Keep going 👏🏼
Thank you!
Great video. Well done. Are SSH Host keys only produced by the administrator of the server you are connecting to? I heard you say you generated your own public and private key pair. That public key you mentioned you created as part of that pair is different than the SSH Host key you are talking about in the video, correct? Is the public/private key pair you created to encrypt and decrypt PGP files only and not for host authentication (for example, logging into a server as you do in the video)?
Correct! SSH host keys are generated by the system administrator where the SSH service is running. Usually the SSH host keys are generating automatically when the SSH service starts up if they are not already present.
The SSH key pair (public/private) that you create for yourself is used to authenticate to a server that's speaking SSH. You upload the public key to the server via a trusted means and then when you want to connect to that server via SSH you just use your private key to encrypt some data and perform a key exchange that only your corresponding public key can decrypt successfully. However, when you first connect to a server over SSH, your local SSH client will ask you to verify the SSH host keys provided by the SSH service. That way when you connect in the future you can be sure you're connecting to the same SSH service as before and it wasn't tampered with.
you are such a good explainer 😮 subscribed
Thank you! I get that often which is why I like to create videos.
You got a new subscriber😊
Heck yeah! Thank you kindly!
Great video Sir
Thank you!
Beautiful !
Keep it up brother 😀
Nice vid brah
thanks for the explanation!😁
You're welcome!
Big thumbs up, I can move now (unfreezed)
When you changed the host keys, you didnt change your private key on your laptop. So how did your previous private key work with the new host keys?
You don't need to change your private key in this case. The host still had my public key, but the host key changed. I removed the old host key from my ~/.ssh/known_hosts, reconnected, and trusted the new host key. Then the connection proceeded and I was able to use my existing private key since the host already had my public key.
what's the purpose of this process? Does not everyone could get the public key and send to you ? How could the host key or the fingerprint verify the server?
When you connect to an instance with SSH you receive the host key and are asked to trust it before connecting. Once you trust it then future connections still receive the host key from the instance and see if you have already trusted the host key for that particular instance. If you did then the connection will proceed. If you didn't trust that host key or if the host key that was presented by the instance changed then the connection would not be trusted and won't proceed. So it's a way to prevent man in the middle attacks and connecting to the a compromised instance.
Great stuff ,i have same error but this solution does not work bc i can't even access the /etc/.ssh path . am using an amazon ec2 instance with a public ip, i can successfully ssh into it, when i want to ssh to another server from this server using its private ip ,it gives me this below error "
[root@ip-10-0-0-237 ec2-user]# ssh ec2-user@10.0.2.241
The authenticity of host '10.0.2.241 (10.0.2.241)' can't be established.
ECDSA key fingerprint is SHA256:H6vZk6QBx/tDE9Qwc4PgUZL4hfyQE+EtIf1SZzxKxgg.
ECDSA key fingerprint is MD5:e1:e1:71:b2:c7:6d:08:ed:a8:bb:15:21:c3:75:7e:e4.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
[root@ip-10-0-0-237 ec2-user]#
can you advice how to resolve this
You don't need access to /etc/.ssh. You only need access to ~/.ssh which is the .ssh directory in your user's home directory. In your case you can also check the ~/.ssh/known_hosts file to remove the host key for 10.0.2.241 and try the SSH again.