Updating SSH Key Fingerprints

The first time you connect to a remote server using SSH, the local computer asks if it can add the remote server’s “fingerprint” (a security key) to a list of known remote computers. You might see a message like this:

The authenticity of host "server1.company.com" can’t be established.

RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.

Are you sure you want to continue connecting (yes/no)?

Type yes and press Return to finish authenticating.

If you later see a warning message about a “man-in-the-middle” attack when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer. This can happen if you:

Change your SSH configuration

Perform a clean install of the server software

Start up from a Mac OS X Server CD

To connect again, delete the entries corresponding to the remote computer (which can be stored by both name and IP address) in the file ~/.ssh/known_hosts.

Important: Removing an entry from the known_hosts file bypasses a security mechanism that helps you avoid imposters and “man-in -the-middle” attacks. Be sure you understand why the key on the remote computer has changed before you delete its entry from the known_hosts file.

Notes on Communication Security and servermgrd

When you use the Server Admin GUI application or the serveradmin command-line tool, you’re communicating with a local or remote servermgrd process.

servermgrd uses SSL for encryption and client authentication but not for user authentication, which uses HTTP basic authentication along with Directory Services.

servermgrd uses a self-signed (test) SSL certificate installed by default in /etc/servermgrd/ssl.crt/. You can replace this with an actual certificate.

The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines (from www.modssl.org).

servermgrd checks the validity of the SSL certificate only if the “Require valid digital signature” option is checked in Server Admin preferences. If this option is enabled, the certificate must be valid and not expired or Server Admin will refuse to connect.

The SSLOptions and SSLRequire settings determine what SSL encryption options are used. By default, they’re set as shown below but can be changed at any time by editing /etc/servermgrd/servermgrd.conf, port 311.

SSLCertificateFile /private/etc/servermgrd/ssl.crt/server.crt

SSLCertificateKeyFile /private/etc/servermgrd/ssl.key/server.key

SSLCipherSuite

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLOptions +StdEnvVars

Chapter 1 Typing Commands

17

Page 17
Image 17
Apple oxs manual Updating SSH Key Fingerprints