[X2Go-Dev] Bug#241: Bug#241: Changed host key cannot be updated
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Fri Jun 21 10:20:49 CEST 2013
Hi Heinrich,
On So 16 Jun 2013 14:36:32 CEST Heinrich Schuchardt wrote:
> Dear maintainer,
>
> from time to time the SSH key used for identification by a X2GO
> server may change.
>
> When trying to connect the server a pop up is shown:
>
> "Anmeldung fehlgeschlagen"
> "Host-Key des Servers hat sich geändert Er lautet jetzt:
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
> Aus Sicherheitsgründen wird die Verbindung abgebrochen"
>
> The user is left puzzled with what he should do next.
>
> There is no indication in which file there is a problem, e.g.
> ~/.ssh/known_hosts
> or
> %APPDATA%\ssh\known_hosts
>
> There is no indication which entry in this file is corrupted.
>
> Deleting file known_hosts is a bad idea because it may contain the
> keys for dozens of validated servers.
>
> There are examples of more informative output, e.g. from command
> line program ssh:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00.
> Please contact your system administrator.
> Add correct host key in /home/user/.ssh/known_hosts to get rid of
> this message.
> Offending RSA key in /home/user/.ssh/known_hosts:1
> RSA host key for 10.0.0.5 has changed and you have requested strict checking.
> Host key verification failed.
>
> Here I can identify the filename: /home/user/.ssh/known_hosts
> and the line of the the entry: 1
>
> Manual editing of known_hosts is now possible but not too good an
> idea because it is error prone.
>
> A good solution is what you see in PuTTY. A warning pop up is shown
> and you get the choice to update file known_hosts.
>
> Best regards
The above surely is a good point to discuss first before implementing.
Obviously, such a replace-host-key button would improve usability in
case host key changes occur.
However, if someone captured DNS and replaced my X2Go server by an
agressive X2Go server, I (as developer) surely want to protect the
user from simply klicking ,,Yeah, ok man... replace that host key...
and can we go on then please...''.
The SSH-unexperienced user (i.e. probably nearly everyone in the
windows world) will then just simply click ,,replace host key''.
So, for me this kind of replace-host-key dialog should at least have a
double confirmation check dialog: Are you sure to replace... -> Are
you really sure???. That kind of thing.
Heinrich: if you could come up with a patch for this issue, it would
surely speed up an inclusion of your requested feature.
@all: comments, opinions on such a new feature?
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130621/7e6dc95c/attachment.pgp>
More information about the x2go-dev
mailing list