Apple oxs Updating SSH Key Fingerprints, Notes on Communication Security and servermgrd

Chapter 1 Typing Commands 17

Updating SSH Key Fingerprints

The first time you connect to a remote server using SSH, the local computer asks if it

can add the remote server’s “fingerprint” (a security key) to a list of known remote

computers. You might see a message like this:

The authenticity of host "server1.company.com" can’t be established.

RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.

Are you sure you want to continue connecting (yes/no)?

Type yes and press Return to finish authenticating.

If you later see a warning message about a “man-in-the-middle” attack when you try to

connect, it might be because the key on the remote computer no longer matches the

key stored on the local computer. This can happen if you:

•Change your SSH configuration

•Perform a clean install of the server software

•Start up from a Mac OS X Server CD

To connect again, delete the entries corresponding to the remote computer (which can

be stored by both name and IP address) in the file ~/.ssh/known_hosts.

Important: Removing an entry from the known_hosts file bypasses a security

mechanism that helps you avoid imposters and “man-in -the-middle” attacks. Be sure

you understand why the key on the remote computer has changed before you delete

its entry from the known_hosts file.

Notes on Communication Security and servermgrd

When you use the Server Admin GUI application or the serveradmin command-line

tool, you’re communicating with a local or remote servermgrd process.

•servermgrd uses SSL for encryption and client authentication but not for user

authentication, which uses HTTP basic authentication along with Directory Services.

•servermgrd uses a self-signed (test) SSL certificate installed by default in

/etc/servermgrd/ssl.crt/. You can replace this with an actual certificate.

•The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64

encoded DER with header and footer lines (from www.modssl.org).

•servermgrd checks the validity of the SSL certificate only if the “Require valid digital

signature” option is checked in Server Admin preferences. If this option is enabled,

the certificate must be valid and not expired or Server Admin will refuse to connect.

•The SSLOptions and SSLRequire settings determine what SSL encryption options are

used. By default, they’re set as shown below but can be changed at any time by

editing /etc/servermgrd/servermgrd.conf, port 311.

SSLCertificateFile /private/etc/servermgrd/ssl.crt/server.crt

SSLCertificateKeyFile /private/etc/servermgrd/ssl.key/server.key

SSLCipherSuite

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLOptions +StdEnvVars

LL2354.book Page 17 Monday, October 20, 2003 9:47 AM