Topic "Puttygen keysets with WInscp?"

Author Message
SB

Guest


I generated a public and a private key pair using puttygen and can log onto server with the key pair using Putty & Pageant. Can I use this keyset with winscp for both scp and sftp transfers? If so how?

Because when I try to connect using the puttygen created keys in winscp, I get that warning indicating that I may not be able to trust that it's my server I'm logging on to, and I did not get this warning with putty after I installed the public key onto server and set up my private key path with putty on local machine.

I'm using latest versions of Putty and Win SCP and it's a RH 8 Linux server running openssh. Using ssh2, RSA Key.
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
You get the warning on the first connect only, because WinSCP does not know the servers host key yet. Note that it is "host key", not your private/public key. Also, you must have get the same with Putty on its first connect. It has nothing to do with the keys, you've generated and you would get the warning even if you connect the first time with password.

You might find useful chapter Verifying the host key from Putty documentation to understand this all.
_________________
Martin Prikryl
Guest




Hi Yes thanks I understand about the host key,
but how can I actually verify that the host key is my servers own key?

From your URL:
Code:
However, when you connect to a server you have not connected to before, PuTTY has no way of telling whether the host key is the right one or not. So it gives the warning shown above, and asks you whether you want to trust this host key or not.


Where would the host key be located on my server? Should I just copy it to my local machine and compare it to what comes up in the warning dialogue box?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
Quote:
Where would the host key be located on my server? Should I just copy it to my local machine and compare it to what comes up in the warning dialogue box?

To display the host key finger print, use command "ssh-keygen -l" and then specify path to the public key. It will something like /etc/ssh_host_dsa_key.pub or /etc/ssh_host_rsa_key.pub. The output should be the same as WinSCP/Putty shows you.
_________________
Martin Prikryl
Guest




OK thanks much,

In my case the path was /root/.ssh/authorized_keys
Does that seem OK?

When I did this, the fingerprint that came back was 1024 93:cf:c6: ... and then 13 more hex numbers following in the string. Using the above method, is the fingerprint always the same for the same authorized_keys file?

I then tried logging back into server via WinSCP and the fingerprint that came up in Winscp did not match the above key.

Does this mean there is a man in the middle attack?
Guest




Another problem is that the above man info that you provided does not inform how to check to see if the host key for the server I have been logging into that is stored in register on my local machine is legitimate or a fake. Even though I don't get that warning any more in putty, how can I be sure that it's the correct key?
Guest




Actually I think I figured most of this out with help from the site at http://www.securityfocus.com/infocus/1806 however I have one pressing question.

At http://www.securityfocus.com/infocus/1806#footnote-4 about this key issue, on that page in regard to verifying the host key it says: "[ref 4] It's always possible that a man-in-the-middle attacker is watching for this verification and can twiddle the output to convince you the keys match. If the attacker is this good, you've got lots of problems ahead of you."

OK if this is the case, what can I do to prevent this man in the middle attack of an attacker watching the verification process and twiddling the output?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
Anonymous wrote:
In my case the path was /root/.ssh/authorized_keys
Does that seem OK?

No. File 'authorized_keys' contains public keys of the user, not the server's. Public key of the server is global for all users, not specific for each one.
_________________
Martin Prikryl
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
Anonymous wrote:
Another problem is that the above man info that you provided does not inform how to check to see if the host key for the server I have been logging into that is stored in register on my local machine is legitimate or a fake. Even though I don't get that warning any more in putty, how can I be sure that it's the correct key?

If it were fake the time you've logged in the first time, it means that you are all the time connecting to fake server (not yours). I guess you would have noticed already Smile

Of course with exception that the attacker if is only proxing your connections every time. I do not know how long you are using Putty from that machine, but I guess it is highly unlikely possible.

Anyway if you want to be 100% sure, check Putty cache at [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys]
I do not know how the keys are encoded in the registry. If you do not find it out yourself easy way is to remove the particular key and try to connect. Putty will ask you again to confirm the key and show you the fingerprint in format you already know.
_________________
Martin Prikryl

Last edited by martin on 2004-11-24; edited 1 time in total
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
Quote:
OK if this is the case, what can I do to prevent this man in the middle attack of an attacker watching the verification process and twiddling the output?

You have answer on the referenced page:
Quote:
The best way to verify a host key is to do so in some out-of-band method. For example the owner of the system could publish the key fingerprint on an SSL-protected web page. One place I worked actually distributed the host key of our main shell server on our laminated 'Emergency Contacts' phone number card, so you could verify it just by pulling out your wallet, even when sitting down at an Internet cafe.

I.e. you should know the key fingerprint in advance (before you connect the first time)
_________________
Martin Prikryl
Guest




Thanks prikryl for the regedit information.

I was wondering, is the fingerprint of the host key different for each username that one logs in on (on the same server)?

For example when I do the ssh-keygen command after logging on as a regular user and then doing a su -, after switching to root, I get one fingerprint.

However when I log on with putty as a non root user, the fingerprint is different from the fingerprint that I get after doing a keygen as root.

Does the same host key generate different fingerprints depending on which user I am logging in under?
Guest




I think what I'm confusing are the key fingerprints. I have 4 fingerprints, when I do

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

I get three different fingerprints one for each.

When I do ssh-keygen -l and then enter path for authorized_keys, I get a fourth fingerprint for authorized_keys.

When I use WInSCP to login with a regular username using a virtual domain on the server, a domain different from the server's main address, I get the RSA key fingerprint, not the fingerprint for the Authorized_keys file, so I am assuming that this is OK, is it?

If so, I thought I was supposed be getting the fingerprint for the authorized_key file and not the
/etc/ssh/ssh_host_rsa_key.pub Why does this happen, or does it really matter?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24553
Location: Prague, Czechia
Quote:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

I get three different fingerprints one for each.

And any of the three is good enough. Which one is used depends on host key algorithm agreed on by client and server. IFAIK ssh_host_key.pub is used for SSH1 and the other two for SSH2.

Quote:
When I use WInSCP to login with a regular username using a virtual domain on the server, a domain different from the server's main address, I get the RSA key fingerprint, not the fingerprint for the Authorized_keys file, so I am assuming that this is OK, is it?

I have explained this already:
Quote:
File 'authorized_keys' contains public keys of the user, not the server's. Public key of the server is global for all users, not specific for each one.

In other words, in 'authorized_keys' you give public key to the server, so the server knows it in advance before you connect the first time with your private key. It is the same procedure as when you get in advance the public part of the host key. Just in an opposite way.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License