Kar*_*aru 5 networking security dns ssh verification
(注意:这似乎与现有问题相似,但我相信此处的实现细节存在一些差异)
我在一个 DNS 地址后面有几百台主机。每个主机都有自己单独的主机密钥(我无法更改它 - 它由供应商设置,不得修改)。
当我第二次尝试通过单一名称连接到任何主机时,这让我ssh非常沮丧,这是可以理解的:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The DSA host key for (hostname) has changed,
and the key for the corresponding IP address 192.168.0.100
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
SHA256:+38sJSsANknk6vVIHJ/l/xnPCl+ALCNrbi80vrr24cM.
Please contact your system administrator.
Add correct host key in /Users/me/.ssh/known_hosts to get rid of this message.
Offending DSA key in /Users/me/.ssh/known_hosts:291
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,password,keyboard-interactive).
在此环境中安全使用 SSH(即尽可能多地进行完整验证)的最佳实践是什么?
出于安全原因,我不想禁用密钥验证,连接到单个 IP 地址的明显解决方法绕过了供应商的 DNS 实现提供的负载平衡。
您可以使用 预生成known_hosts所有 IP ssh-keyscan。然后在用户系统上将其设置为GlobalKnownHostsFile(只读)并针对该特定hostname禁用UserKnownHostsFile(设置为/dev/null)。
我没有尝试过,但它应该对 IP 感到满意,并且如果它无法known_hosts使用hostname.
示例客户端/etc/ssh/ssh_config(也适合分发):
[...] # other stuff
Host dns_hostname
GlobalKnownHostsFile /etc/ssh/known_hosts
UserKnownHostsFile /dev/null
| 归档时间: |
|
| 查看次数: |
1949 次 |
| 最近记录: |