Ich habe es jetzt hinbekommen. Mein DNS war noch nicht überall synchron.
Ich habe allerdings ein Problem mit einem Config Eintrag in der sshd_config. Dies ist nun ein Debian Server statt mein Ubuntu 14.04. Ich möchte gerne, dass der Server zuerst ssh-ed25519 anbietet statt ecdsa, wenn ich versuche mich zu verbinden. Dazu nutze ich unter Ubuntu den Eintrag HostKeyAlgorithms, aber unter Debian kann ich schließend den Dienst nicht mehr starten. Debian kennt anscheinend den config Eintrag nicht. Kennt jemand dafür eine Lösung?
sshd_config (ubuntu 14.04)
# AcceptEnv # Specifies what environment variables sent by the client will be # copied into the session's environ(7). See SendEnv in # ssh_config for how to configure the client. Note that # environment passing is only supported for protocol 2. AcceptEnv LANG LC_* # AuthorizedKeysFile # Path to store authorized keys AuthorizedKeysFile %h/.ssh/authorized_keys # ChallengeResponseAuthentication # Specifies whether challenge-response authentication is allowed # (e.g. via PAM). # The default is “yes”. ChallengeResponseAuthentication no # DebianBanner DebianBanner no # HostbasedAuthentication # Specifies whether rhosts or /etc/hosts.equiv authentication # together with successful public key client host authentication is # allowed (host-based authentication). This option is similar to # RhostsRSAAuthentication and applies to protocol version 2 only. # The default is “no”. HostbasedAuthentication no # HostKeys # Specifies a file containing a private host key used by SSH. # Note that sshd will refuse to use a file if it is group/world-accessible. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # HostKeyAlgotithms # Which Fingerprint Algorithms provide to a Client to Identificate the Host # Find out which Algorithms the system provide with "ssh -Q key" HostKeyAlgorithms ssh-ed25519,ssh-rsa # KeyRegenerationInterval # In protocol version 1, the ephemeral server key is automatically # regenerated after this many seconds (if it has been used). The # purpose of regeneration is to prevent decrypting captured # sessions by later breaking into the machine and stealing the # keys. The key is never stored anywhere. If the value is 0, the # key is never regenerated. KeyRegenerationInterval 3600 # ListenAdress # ListenAddress :: # ListenAddress 0.0.0.0 # LoginGraceTime # The time after which the server disconnects if the user has not successfully logged in. LoginGraceTime 120 # LogLevel # Gives the verbosity level that is used when logging messages from sshd. # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. # DEBUG and DEBUG1 are equivalent. LogLevel INFO # MaxAuthTries # Specifies the maximum number of authentication attempts permitted # per connection. Once the number of failures reaches half this # value, additional failures are logged. The default is 6. MaxAuthTries 20 # MaxSessions # Specifies the maximum number of open sessions permitted per # network connection. The default is 10. MaxSessions 10 # PasswordAuthentication # Specifies whether password authentication is allowed. PasswordAuthentication yes # PermitEmptyPassword # When password authentication is allowed, it specifies whether the # server allows login to accounts with empty password strings. PermitEmptyPasswords no # PermitRootLogin PermitRootLogin without-password # Ports Port 22 # PrintMotd # Print motto of the Day PrintMotd no # PrintLastLog # Print last login PrintLastLog no # Protocol Protocol 2 # Public Key Authentications # RSAAuthentication is obsolete in Protocolversion 2 RSAAuthentication no PubkeyAuthentication yes # ServerKeyBits # Defines the number of bits in the ephemeral protocol version 1 # server key. The minimum value is 512, and the default is 1024. ServerKeyBits 4096 # StrictModes # Specifies whether sshd(8) should check file modes and ownership # of the user's files and home directory before accepting login StrictModes yes # SyslogFacility # Gives the facility code that is used when logging messages from sshd. # The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, # LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. SyslogFacility AUTH # RhostRSAAuthentication # Specifies whether rhosts or /etc/hosts.equiv authentication # together with successful RSA host authentication is allowed. # The default is “no”. RhostsRSAAuthentication no # Subsystem # Configures an external subsystem (e.g. file transfer daemon). # Arguments should be a subsystem name and a command (with optional # arguments) to execute upon subsystem request. # # The command sftp-server(8) implements the “sftp” file transfer subsystem. Subsystem sftp /usr/lib/openssh/sftp-server # TCPKeepAlive # Specifies whether the system should send TCP keepalive messages # to the other side. If they are sent, death of the connection or # crash of one of the machines will be properly noticed. However, # this means that connections will die if the route is down # temporarily, and some people find it annoying. On the other # hand, if TCP keepalives are not sent, sessions may hang # indefinitely on the server, leaving “ghost” users and consuming # server resources. # # The default is “yes” (to send TCP keepalive messages), and the # server will notice if the network goes down or the client host # crashes. This avoids infinitely hanging sessions. TCPKeepAlive yes # UsePAM # Enables the Pluggable Authentication Module interface. If set to # “yes” this will enable PAM authentication using # ChallengeResponseAuthentication and PasswordAuthentication in # addition to PAM account and session module processing for all # authentication types. UsePAM yes # UsePrivilegeSeparation # Specifies whether sshd separates privileges by creating an # unprivileged child process to deal with incoming network traffic. # After successful authentication, another process will be created # that has the privilege of the authenticated user. The goal of # privilege separation is to prevent privilege escalation by # containing any corruption within the unprivileged processes. UsePrivilegeSeparation yes
ssh config (client)
Host kronos HostName kronos.example.local Port 22 User root Compression yes IdentityFile ~/.ssh/ssh.key PasswordAuthentication no PubkeyAuthentication yes PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa RSAAuthentication no StrictHostKeyChecking yes VerifyHostKeyDNS yes
Moderiert von sebix:
Der Beitrag ist von SSH: VerifyHostKeyDNS abgetrennt worden. Bitte entführe keine Themen (Verhaltenscodex)!