Clarification of usbnet Openssh fingerprint/keys

[sunnydev]

Please can anyone clarify the usbnet/Openssh handling of the server (Kindle) keys?

putty and FileZilla work fine over ssh, authorizsation_keys works OK.

My problem is when connecting the fingerprint from the Server (Kindle) is not what I am expecting.

Thanks for any clarification or diagnosis tips.

[knc1]

Quote:

Originally Posted by sunnydev

Please can anyone clarify the usbnet/Openssh handling of the server (Kindle) keys?

putty and FileZilla work fine over ssh, authorizsation_keys works OK.

My problem is when connecting the fingerprint from the Server (Kindle) is not what I am expecting.

Thanks for any clarification or diagnosis tips.

It would not "work fine" if the fingerprint was not what the ssh client was expecting.

So modify your expectations to match that of the ssh client software.

[twobob]

you have the server public keys in the "authorised_keys" folder on the kindle right?

I'm not sure I understand the question

[hawhill]

The "authorized_keys" file holds public keys (not just fingerprints!) that allow log in for users who possess the corresponding private keys.

Also, besides user level authorization, there is server authentification/authorization. The server will also have a public/private key pair. The server's public key is typically saved for authentification of the server on later logins, for the OpenSSH client in ~/.ssh/known_hosts

On UI level, for public keys often only a "fingerprint" is presented. It's a short hash value that allows for a more or less secure comparison of the public key against a published/known one.

[knc1]

Quote:

Originally Posted by twobob

you have the server public keys in the "authorised_keys" folder FILE on the kindle right?

I'm not sure I understand the question

That is a file under ~/.ssh folder.

[sunnydev]

Thanks for the responses. To clarify, building on hawhill's post:

in my configuration the "user "authentication is OK, i.e. public key is in ../usbnet/etc/authrorized_keys and the private key is on the clients side.

This query is about the server (Kindle) public key:
1. If I needed to generate this key, .e.g. keygen?
2. where for the usbnet configuration its stored?
3. if I regenerate another server key (like the user public key) and locate it in the correct place, will this give me a new fingerprint I can use.
I was concerned that I may need to generate a new server key and also unsure where this key is stored.

My understanding so far:
1. Answer: No.
Reason: The fingerprint that the ssh clients show is a hash of the server public key . Once the client has accepted the fingerprint (i.e. user has confirmed it's the correct host), the fingerprint can will be stored locally and verified next time a connection is initiated i.e. to check it's the same host.

This "server" key is generated automatically (practically unique) by the install of Openssh (i.e. usbnet) and therefore in terms of security there are no concerns in terms of another needing another to be generated? i.e. the fingerprint showing for my Kindle now is sufficient.

2. I understand normally for Openssh this key is located in something like /etc/ssh/ssh_host_rsa_key.pub.

Is the server public key for usbnet that is used in the hash to create the fingerprint located in /mnt/base-us/usbnet/etc/ssh_host_rsa_key?

3. Is the answer?: Yes a new public key could be generated to give a new fingerprint but as its a new install and no compromises then there is little benefit.

Thanks for any further clarifications

[knc1]

Plus, USB cables are usually short enough that you could see anyone trying to compromise your connection.

#2 No
ssh_host_rsa_key :: Private key
ssh_host_rsa_key.pub :: Public key

At least for the default pair.

[sunnydev]

:-) I appreciate over USB is ok but I'm using over WiFi too.

knc1#7: Do the above files apply for Openssh with usbnet?

What confuses me is: if I generate a new key pair with puttygen, copy to /mnt/base-us/usbnet/etc, reboot and initiate a new ssh session the Kindle fingerprint is not that which puttygen reports the fingerprint should be. I've also tried the public key in ssh_host_rsa_key but this does not work either.

(By work I mean the ssh client giving the same fingerprint reported by puttygen when the keys are generated).

[knc1]

The "finger print" is only for human reference.
Putty uses a different algorithm than the industry standard programs do.

Same, same for any BSD (OpenSSH) compatible.
OpenSSH, Dropbear, etc.
Puttygen uses its own format for the keys, but they can be converted (imported) by OpenSSH keygen utility.

When you say you generate a "new key pair" do you mean you are generating a new Host key ?
ssh_host_rsa_key is used on the server side to hold the server's PRIVATE key.

Either Dropbear or OpenSSH on the server (I.E: KINDLE ) side will generate that, or re-generate that if you tell it too.

PuttyGen generates CLIENT key pairs.
You get to pick the <name>
You keep the <name> private key
You put the <name>.pub public key in the proper .ssh/authorized_keys file of the machine you wish to access (the Kindle). One key per line.

[ixtab]

Unless the K3 SSH server is completely different from K5, you'll want to look for documentation about dropbear, not openssh.

On the K5, the file you would be looking for is /usr/local/etc/dropbear/dropbear_rsa_host_key . On the K3, the path is probably different, but the file name might be the same.

You should also be aware that the file formats of putty, openssh, and dropbear are all different. For dropbear, check dropbearconvert, for putty, I don't remember the tool's name.

IMO, what you're trying to do is actually not worth the hassle. Delete all client-side "known keys" for the device, then connect via USB, then via Wifi. (Write down the key that you got, if you're really paranoid). If that key ever changes in the future, your SSH client should warn you.

[sunnydev]

Yes, as I understand it: user should validate the finger print, often just a yes, and it could also be saved for convenience (on the client side) for automated checking by the client.

Apologies, I wasn’t aware of the Putty RSA keygen differences. I assumed (looking like in error) the same method could be used for the server keys. Puttgen post I worked from that was very useful for the user keys :
https://www.mobileread.com/forums/sho...85&postcount=8

Thanks I’m clear on the ssh client, puttygen, user keys.

Yes the new key pair was for the server side, i.e. that which is used to generate the fingerprint.

Remaining questions:
Knc1#9:
1. How do I (re-)generate the server keys on the Kindle? I cannot find ssh-keygen on the Kindle.
e.g. from find / -name ssh-keygen -print

2. For the usbnet/Openssh/Kindle does the same ssh server default names apply, private key in ssh_host_rsa_host, public key in ssh_host_rsa_host.pub?

3. For usbnet/Openssh/Kindle are the server key files to be located in /mnt/base-us/usbnet/etc?

Thanks.

[knc1]

The differences are in how they compute a "fingerprint".
Even if both applications use identical keys, the "human friendly" finger print they generate will be different.

1: What ssh server software do you hav installed on the Kindle?
Openssh or Dropbear? It looks like Openssh but I have to ask to be certain we are not wasting thread time.
That **should** have found it. But that may not be the correct name *or* the package you installed did not include it.

2: Yes. <name> is private, <name>.pub is public
Yes, the ssh server side key generation will put it in the correct place if you let it use default locations and names (which must be writable of course).

3: I don't have a clue. Show me the output of the command: mount and then maybe I can tell what you have mounted there.

[NiLuJe]

@sunnydev: The USBNet hack ships with pre-generated server keys on the K3, because the CPU is so tiny that it would take a noticeable amount of time to generate them during setup.
(And OpenSSH's ssh-keygen was broken on the K3 when I did my initial implementation [but that just might have been because of an LTO issue]. Anyway, it's not shipped with USBNet.).

(FWIW: The dropbear keys are the same as ebs' original implementation from back in the FW 2.x days, and I generated the OpenSSH keys myself with OpenSSH-6.0_p1 especially for USBNet. On the other hand, on the K4 & Touch, the vanilla dropbear supports *does* generated server keypairs on first boot).

On the K3: They're in /mnt/us/usbnet/etc (2 for dropbear, 3 for OpenSSH).

So, yes, if you switch from dropbear to OpenSSH, the fingerprint *will* change, they use different keys

1. Do it from a proper Linux host, it'll be faster (and, as I said, ssh-keygen isn't shipped with the hack, so that leaves you only with dropbear's keygen).

2. See the files in /mnt/us/usbnet/etc (The server doesn't need the public key, so they're not shipped with USBNet).

3. See #2.

[sunnydev]

knc1:
Thanks,
1. Yes Openssh.
the rest as as per NiLuJe post #13.

NiLuje:
Great, you’ve covered off all the questions thanks.
I switched to Openssh immediately after install so didn’t use dropbear.
I appreciate some the constraints of porting some packages. I can generate the key pair on another platform, then copy over the private key as you specify that’s the only one needed.

I’ll test the above tomorrow. Assume no news is good news.
Thanks all for your help.

[sunnydev]

I confirm that a new host key (certificate) can be generated from a different device, copied to the Kindle and then the fingerprint matches what is stated when the host key was generated.
As there is no ssk-keygen on the Kindle I generated the new host certificate on a Raspberry Pi with:
$ ssh-keygen -h -t rsa -f ssh_host_rsa_key
-h switches to host certificate rather than the user certificate
Then copied the ssh_host_rsa_key file to /mnt/base-us/usbnet/etc
Rebooted the Kindle
The connecting from my ssh client the expected fingerprint matched the one for the host key just generated.

Previous confusion now resolved. Thanks to all for the help given in this thread.