using ssh on wotan by Thomas Krichel

Login into wotan

We login from our terminal ssh client.
ssh user_name@dlib.info
The authenticity of host 'dlib.info (148.4.2.231)' can't be established.
RSA key fingerprint is ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dlib.info,148.4.2.231' (RSA) to the list of known hosts.
Or we do it from putty. If we do that the security warning is in a separate window. In any case, we will be asked for a user name, then comes the password.
user_name@dlib.info's password: false password, not echoed
hPermission denied, please try again.
user_name@dlib.info's password: correct password, not echoed
Linux wotan version date_when_compiled
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
user_name@wotan:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user_name/.ssh/id_rsa):
Created directory '/home/user_name/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user_name/.ssh/id_rsa.
Your public key has been saved in /home/user_name/.ssh/id_rsa.pub.
The key fingerprint is:
finger_print_1 user_name@wotan
The key's randomart image is:
+--[ RSA 2048]----+
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
|???????????????????|
+-----------------+
user_name@wotan:~$ cd .ssh
user_name@wotan:~/.ssh$ ls -l
total number
-rw------- 1 user_name user_name time id_rsa
-rw-r--r-- 1 user_name user_name time id_rsa.pub
user_name@wotan:~/.ssh$ cd
user_name@wotan:~$ exit
logout
Connection to dlib.info closed.

Working with a the root account of the server

Assume that your server is server.openlib.org, and it has the IP address server_ip
user_name@wotan:~$ ssh root@server.openlib.org
user_name@server's password: password
Linux wotan version date_when_compiled
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
user_name@wotan:~$ ssh-copy-id root@server.openlib.org
The authenticity of host 'server.openlib.org (server_ip)' can't be established.
RSA key fingerprint is ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server.openlib.org,ip_address' (RSA) to the list of known hosts.
root@dlib.info's password: password
Now try logging into the machine, with "ssh 'root@server.openlib.org'", and check in:
 
  ~/.ssh/authorized_keys 
 
to make sure we haven't added extra keys that you weren't expecting.
If this worked successfully, you can skip forward to ***. If ssh-copy-id results in
bash: ssh-copy-id: command not found
I suggest to proceed as follows
user_name@wotan:~$ scp .ssh/id_rsa.pub root@server.openlib.org:/tmp/.
root@server.openlib.org's password: password
id_rsa.pub                                          100%  bytes     bytes/s   time
This copies the public key file to your server, into a location for temporary files. You will be prompted for your password. Then, login as root into your server
user_name@dlib.info's password: false password, not echoed
Permission denied, please try again.
user_name@dlib.info's password: correct password, not echoed
Linux wotan version date_when_compiled
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
user_name@wotan:~$ 
Now you run the following command, but note the >>, rather than > below
root@server:~$ cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
This will append the id_rsa.pub file to your authorized_key file. The local copy can then be removed.
root@server:~$ rm /tmp/id_rsa.pub
root@server:~$ exit
*** At the next attempt, no password should be required.
user_name@wotan:~$ ssh root@dlib.info
Linux wotan version date_when_compiled
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@server:~$ cd .ssh
root@server:~/.ssh$ cat authorized_keys
ssh-rsa ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? user_name@server
root@server:~/.ssh$ rm authorized_keys
root@server:~/.ssh$ cd
root@server:~$ exit␍
logout
Connection to server.openlib.org closed.
user_name@wotan:~$ cat .ssh/id_rsa.pub
ssh-rsa ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? user_name@wotan

Discussing the host keys

user_name@wotan:~$ cat .ssh/known_hosts
|1|????????????????????????????|???????????????????????????= ssh-rsa ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=
|1|????????????????????????????|???????????????????????????= ssh-rsa ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=
This shows the host key information for hosts you have connected to before. Let us change it, just for fun, with the nano editor
user_name@wotan:~$ nano .ssh/known_hosts
You see two lines. What the second line is good for I don't know. Each line Change something in the second part of the first line, after the secord vertical bar and before the third. Then type ^O␍^X. Then try again, to see that it no longer knows about the server and proposed to add another key for it.
The authenticity of host 'server.openlib.org (server_ip)' can't be established.
RSA key fingerprint is ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server.openlib.org,ip_address' (RSA) to the list of known hosts.
root@server:~$ exit
Connection to server.openlib.org closed.
user_name@wotan:~$ exit␍
logout
Connection to dlib.info closed.

Host key change warnings

You have been working with a host for a while. Now sudenly a machine with the same domain name but a different key comes along. What will a security-consciencous ssh client do?
For example, assume you rent with one company first, but then switch to another. You have adjusted the DNS record for the server to change to a different IP address new_ip
user_name@wotan:~$ ssh root@server.openlib.org
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for server.openlib.org has changed,
and the key for the corresponding IP address ip_address
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??.
Please contact your system administrator.
Add correct host key in /home/krichel/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/user_name/.ssh/known_hosts:line_number
RSA host key for server.openlib.org has changed and you have requested strict checking.
Host key verification failed.
Here you need to remove the line line_number from the file ~/.ssh/known_hosts. Use an editor, for example nano.
user_name@wotan:~$ nano .ssh/know_hosts

Discussion

Why does ssh-copy ask you “make sure we haven't added extra keys that you weren't expecting.”?