Describing what SSH host keys are, what they are used for, and what actually happened when GitHub rotated their RSA SSH host key. GitHub: github.com/sudomateo LinkedIn: / sudomateo Twitter: / sudomateo
Great video. Well done. Are SSH Host keys only produced by the administrator of the server you are connecting to? I heard you say you generated your own public and private key pair. That public key you mentioned you created as part of that pair is different than the SSH Host key you are talking about in the video, correct? Is the public/private key pair you created to encrypt and decrypt PGP files only and not for host authentication (for example, logging into a server as you do in the video)?
Correct! SSH host keys are generated by the system administrator where the SSH service is running. Usually the SSH host keys are generating automatically when the SSH service starts up if they are not already present. The SSH key pair (public/private) that you create for yourself is used to authenticate to a server that's speaking SSH. You upload the public key to the server via a trusted means and then when you want to connect to that server via SSH you just use your private key to encrypt some data and perform a key exchange that only your corresponding public key can decrypt successfully. However, when you first connect to a server over SSH, your local SSH client will ask you to verify the SSH host keys provided by the SSH service. That way when you connect in the future you can be sure you're connecting to the same SSH service as before and it wasn't tampered with.
what's the purpose of this process? Does not everyone could get the public key and send to you ? How could the host key or the fingerprint verify the server?
When you connect to an instance with SSH you receive the host key and are asked to trust it before connecting. Once you trust it then future connections still receive the host key from the instance and see if you have already trusted the host key for that particular instance. If you did then the connection will proceed. If you didn't trust that host key or if the host key that was presented by the instance changed then the connection would not be trusted and won't proceed. So it's a way to prevent man in the middle attacks and connecting to the a compromised instance.
You don't need to change your private key in this case. The host still had my public key, but the host key changed. I removed the old host key from my ~/.ssh/known_hosts, reconnected, and trusted the new host key. Then the connection proceeded and I was able to use my existing private key since the host already had my public key.
Great stuff ,i have same error but this solution does not work bc i can't even access the /etc/.ssh path . am using an amazon ec2 instance with a public ip, i can successfully ssh into it, when i want to ssh to another server from this server using its private ip ,it gives me this below error " [root@ip-10-0-0-237 ec2-user]# ssh ec2-user@10.0.2.241 The authenticity of host '10.0.2.241 (10.0.2.241)' can't be established. ECDSA key fingerprint is SHA256:H6vZk6QBx/tDE9Qwc4PgUZL4hfyQE+EtIf1SZzxKxgg. ECDSA key fingerprint is MD5:e1:e1:71:b2:c7:6d:08:ed:a8:bb:15:21:c3:75:7e:e4. Are you sure you want to continue connecting (yes/no)? Host key verification failed. [root@ip-10-0-0-237 ec2-user]# can you advice how to resolve this
You don't need access to /etc/.ssh. You only need access to ~/.ssh which is the .ssh directory in your user's home directory. In your case you can also check the ~/.ssh/known_hosts file to remove the host key for 10.0.2.241 and try the SSH again.
