• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Training
  • Shop
  • Our Latest eBook Offer
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
  • Pluralsight Courses
You are here: Home / Linux / SUSE / Central SSH Client known_host

Central SSH Client known_host

October 21, 2013 by The Urban Penguin


Using SSH is a common method in Linux to remotely connect to your servers / desktops and is secured though encryption. The data will always be encrypted but we can also add levels of host authentication into the mix so we can be sure that we are connecting to the host we think we are or “known_hosts”.

The Server’s Public Key.

The default behavior of the SSH client on SUSE Linux is to ask if you want to accept the Server’s public key when you connect to a server that you do not already have their key in your store. If you accept the client will store the Server’s public key in the client’s personal keystore, ~/.ssh/known_hosts. Subsequent times that the user connects to this Server, as they already have its key, the user will not be prompted to store the key.

ask

Risks with the Default Settings

As with most things the default setting provide a mechanism of ease of use balanced with security. As a process becomes more convenient to use, often it becomes less secure. If we connect to a host for the first time and we have not validated that it is actually the server we think that it is we may store an incorrect public key on the store. We see the similar behavior in web-browsers where one connects to unknown or untrusted web-site warnings will show about the server’s certificate. This is the same thing but we are allowing the user to make the choice which in a secure environment may not be the best choice.

We can change the client so that it may only to connect to Servers that are already known or, in other words, have their Public Key or Certificate stored in our key-store. The configuration file used to control this is:

/etc/ssh/ssh_config

We need to make sure that the setting for StrictHostKeyChecking is set to yes to ensure we only connect when we have a pre-shared key.

yes

Populating the Key-Store

We can populate the key-store manually by copying the Server’s Public Key to our client or more easily via the ssh-keyscan command. The command although convenient also carries the risk that we may connect to a malicious server during the scan and again store the incorrect key. For ease, I demonstrate this method in the video. However, if you have may users connecting from the client it would be painful to add the public key to each users  ~/.ssh/known_hosts file. To centralize this I would suggest that in a secure environment that you use the common known_hosts file or key-store which is:

/etc/ssh/ssh_known_hosts

This then can act as the key-store for all users on the client and is much simpler to manage and, of course, more secure.

In Conclusion

SSH provides a secure encryption mechanism to maintain data security across the network, implement StrictHostKeyChecking on the client will also allow for Host Authentication so we can be sure that we are sending our secure information to the correct server.


Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: SUSE

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Live Training

Powered by Eventbrite

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • Scheduled Linux Essentials Classes
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Courses

© 2019 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok