Opened 11 years ago

Closed 11 years ago

#1011 closed Task/To do item (fixed)

New SSH public key for NEDAP server

Reported by: takethestreets Owned by: Jamie McClelland
Priority: High Component: Tech
Keywords: Cc:
Sensitive: no

Description

Please add this to the backup server for the NEDAP account?

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoWECTSA4slqEHEg0FU/y5rkUhK2XZ8Kmr9VdqGX5i2FPFaOFOPK4xGYsyGzWqbMXIy+dsVqxCcZ9ju+X8QYQwKn+QRDYJYRecTvvSEJstgIqBI+HIJix7y6thBpHgJdXbx0rwiHSo2g8nMbkX+9a4vTbkZjMk0TZc248ED/XOTEIaJTkanB1UkAGzHsz0qL3xlHZVxh12ERGetv3vEd7IRIb8O8VY2DxP65sLx+UEXBOP0nAn8gY8Ck6CKawADbsjysLij7epANSesyBbHm3cBZSgcjUxjwcmHH0KAsXown1B2NV43Xhzv2yFZYcOuLVS3EmdzyPY7v9ft/i5BsK3Q== root@server2

Also, FYI, I don't see anywhere on the site where c.backup.mayfirst.org has its fingerprint listed. Presumably that server has another name, but I don't know what it is.

Change History (11)

comment:1 Changed 11 years ago by Jamie McClelland

Resolution: fixed
Status: newclosed

The new key should be in place now on c.backup.mayfirst.org - please re-open if you have any trouble getting in. I removed the existing key.

Thanks for the heads up on the fingerprint - I just added c.backup.mayfirst.org to the fingerprints page (it's an alias of ali.mayfirst.org).

comment:2 Changed 11 years ago by takethestreets

Resolution: fixed
Status: closedreopened

Hey there,

So I added c.backup.mayfirst.org successfully to known_hosts, but it looks like the public key (or maybe username?) is no good? See below. -Jon

server2:~# cd .ssh/
server2:~/.ssh# ls
id_rsa  id_rsa.pub  known_hosts
server2:~/.ssh# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoWECTSA4slqEHEg0FU/y5rkUhK2XZ8Kmr9VdqGX5i2FPFaOFOPK4xGYsyGzWqbMXIy+dsVqxCcZ9ju+X8QYQwKn+QRDYJYRecTvvSEJstgIqBI+HIJix7y6thBpHgJdXbx0rwiHSo2g8nMbkX+9a4vTbkZjMk0TZc248ED/XOTEIaJTkanB1UkAGzHsz0qL3xlHZVxh12ERGetv3vEd7IRIb8O8VY2DxP65sLx+UEXBOP0nAn8gY8Ck6CKawADbsjysLij7epANSesyBbHm3cBZSgcjUxjwcmHH0KAsXown1B2NV43Xhzv2yFZYcOuLVS3EmdzyPY7v9ft/i5BsK3Q== root@server2
server2:~/.ssh# ssh nedap-sync@c.backup.mayfirst.org
Permission denied (publickey).

comment:3 Changed 11 years ago by Jamie McClelland

Can you paste the entire command you are using?

In the auth logs, I see a line that says:

May 20 09:15:40 backup sshd[13240]: Invalid user nedap from 68.165.222.40

Is it possible that you are connecting as the user nedap, instead of the user nedap-sync?

comment:4 Changed 11 years ago by takethestreets

You're seeing the complete command (above) - I first tried logging in as user nedap, the logs are probably reflecting that. I just ow (at 11:25AM) attempted login again with the correct username:

server2:~# ssh nedap-sync@c.backup.mayfirst.org
Permission denied (publickey).

Perhaps that isolated log entry will be easier to find?

comment:5 Changed 11 years ago by Jamie McClelland

Ah - sorry about that. You did include the entire command.

I'm not seeing anything else for nedap in the auth log. However, I realized that I left your old key in your authorized_keys file, which might be causing ssh to refuse your connection. I just removed it. Can you try again?

Thanks!

comment:6 Changed 11 years ago by takethestreets

Just tried again, no luck.

comment:7 Changed 11 years ago by Jamie McClelland

Ah - I think I see the problem. I ran ssh-vulnkey as the user nedap-sync on ali and got:

nedap-sync@ali:~/.ssh$ ssh-vulnkey
Not blacklisted: 2048 9e:e0:6c:7f:04:15:ed:38:4b:b1:e9:92:8d:03:e0:7a root@ali
Not blacklisted: 1024 43:3f:24:18:45:f7:fe:32:22:c8:53:3a:2c:b1:a9:ba root@ali
COMPROMISED: 2048 63:22:01:a4:bf:ab:ad:e5:b3:f5:6a:ed:33:d4:cc:ca root@server2
nedap-sync@ali:~/.ssh$

Ali seems to think that key is compromised. Is it possible that you generated that key before upgrading the openssl libraries?

It's also possible that ssh-vulnkey is giving a false positive.

Can you try to run ssh-vulnkey on your server as root?

comment:8 Changed 11 years ago by takethestreets

Ah - I didn't dist-upgrade on this server. I'll do that now.

comment:9 Changed 11 years ago by takethestreets

New SSH key:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2ef6zBhQ8obHPFcZwJrJa3qN9XEBO4DHoJYTDDN4TzS2zxKqayDrSQ0spfsCNRcUQEgv+PiCV3xDgj7TNH26NfXhSjtxBNX64/oBhqbhN11sWUj9Ixm20sTM91oGjfHLiIf2FZCYHEzcSttqmdlYnrPSEtzZoLmFo27LGlRaALbJ83tzqRLO3c80zYcmSe3Qd5UaCL/BgYiPfswZ2fExf5bgswxkQQTfDp+vdO3f1byobUbJVSNvMUZ4T8P0gm7lYW/ilRjgHE9/0Ef279pYLT2u7C73BoRuvwWMLHDs9gXb9yUNZBciDglW4lGrLnqP4IAme5WtmJVWbZqap2n2XQ== root@server2

Thanks! -J

comment:10 Changed 11 years ago by Jamie McClelland

Ok - I just put it in place.

comment:11 Changed 11 years ago by takethestreets

Resolution: fixed
Status: reopenedclosed

Ah - much better. Thanks.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.