ssh host keys & multiple PCLinuxOS installations

[Phantom Lobell]

I have generated a pair of ssh keys (rsa 2048) on my PCLinuxOS KDE installation. They are in the default locations.
I am running 8 different installations of PCLinuxOS (KDE,LXDE,XFCE,Full Monty,OpenBox,e17,Gnome and KDE MiniMe). Each is installed on a separate root partition. I am sharing my swap and /home partition (creating different users for each installation so the settings would not interfere with each other). Grub is in the mbr (Windoze 7 also being on the notebook) The KDE (not the mini me) installation is the master. It contains the menu.lst that references all the other installs so when the Grub menu appears I can select any of the different versions of PCLinuxOS above (KDE being the default).
Can I connect to an ssh server from each version and have it work? If not (and I don't think it will work) how can I make this work? Would copying the pair of keys to each different version be heading in the right direction? What about the host keys? I don't want to have a message come up when I try to connect from each of the different versions that the host key has change since I would be trying to connect to 2 openssh servers possibly from 8 different PCLinuxOS installations.

[muungwana]

you connect to an ssh server to log in to a user account.When you attempt to log in,credentials will be read by default from the user's home directory.

If ssh servers on all installations allow remote access and are running when respective systems are up,then the problem is "how do i log in to a user account remotely using ssh". Apply the answer to all user accounts regardless of the installed system they reside in.

[Phantom Lobell]

Sorry I find ssh confusing. Could you please explain your answer?  I'm not sure what you mean by Apply the answer to all user accounts regardless of the installed system they reside in. 

[muungwana]

Let say you have a user called "alicia" at a remote computer with an IP address of ABC.

Let say you are logged in as user "mary" at a computer with an IP address of XYZ.

to connect to computer ABC as user "alicia" from "mary"'s account at computer XYZ,you will do something like:

ssh alicia@ABC

When you do that,the the computer at ABC will send some information about itself and you will get the "unknown host" warning if there is no entry for the computer at ABC in "/home/mary/.ssh/known_host" file.

If you choose to proceed,the identity of the remote computer will be saved in "/home/mary/.ssh/known_hosts".The identity is tied to an IP address so you will be warned only once unless the remote computer change its IP address since the identity is tied to an IP address.

Can I connect to an ssh server from each version and have it work?

Yes. There should be no problem with that,if you have ssh client installed on each version,you can connect to an ssh server from each version.

Would copying the pair of keys to each different version be heading in the right direction? What about the host keys? I don't want to have a message come up when I try to connect from each of the different versions that the host key has change since I would be trying to connect to 2 openssh servers possibly from 8 different PCLinuxOS installations.

If you dont want the warning to repeat 16 times as you try to log in remotely to your two servers from your 8 accounts each from its version.You can connect to both servers using one of the accounts and get the warnings twice and then copy "~/.ssh/known_hosts" on the account you logged in to the rest of your accounts' .ssh folder and you would not get them again.Never tried it but it should work.

[kjpetrie]

Because you share your /home partition, all your installs share the same key pair. Therefore they will all work the same with SSH. You need to copy the public key to the appropriate place on the server you wish to connect to. You can do this by FTP or sftp, but will have to use a password log-in the first time. Once the key is installed you will no longer be prompted for the password and can even disable it if you are confident someone else will restore it if the key ever gets lost or changed.

If you connect to more than one server, each will need a copy of the public key, and you will have to ensure the IP address or name of each server is listed against the key in the known hosts file on your machine (~/.ssh/known_hosts or you will get a warning and limited functionality every time you log into a server that isn't the first one. You will need to read up on the known hosts file format on line to learn how to do that.

Hope this helps.

[Phantom Lobell]

Thanks to muungwana and kjpetrie for their replies.
I am using dyndns to map an ip address to a hostname. Thus this should never change regardless of which PCLinuxOS version I login in with should it? Once I have successfully logged in to each server via password authentication the first time only, the host_key should stay the same on the servers?
kjpetrie stated that my keys should be the same in all versions of PCLinuxOS I'm running since I'm sharing my /home partition. But I have different users setup in that partition so each version won't interfere with the other running different window managers desktops etc. I have just checked my PCLinuxOS LXDE /home partition and it does not even have a .ssh directory! Obviously no keys are there either. I checked Synaptic and have both the openssh server and client installed. Since I didn't install them explicitly and I only need the client, the default installation of PCLinuxOS LXDE must have done so. So should I manually create the .ssh directory making sure permissions stay the same and and copy my keys from KDE /home where I originally created the key pair?
Can I use ssh-copy-id to copy my ssh public key to each server?

[kjpetrie]

It depends exactly what you want to do. If you want to ensure each user can only log in to their own account on the server you will need a different key pair for each user. If you only want to log in to one shared account on the server you can copy the keys between users. However, you will only have permission to do so as root, and you will have to change ownership and permissions for each user after copying. SSH will only use a private key if it is owned by the same user and only accessible by them.

Is dyndns pointing to the server or to your local machine? If to the server this should be fine with known_hosts. I thought you had more than one server. If you only have one the known_hosts will be created automatically on first log-in with the key. If you have others you will have to add them to the file manually.

Yes, ssh-copy-id should work fine.

[Phantom Lobell]

Sorry if I misled you. Basically what I'm trying to do is help another user remotely. They have two installs of Linux and mess up their installation frequently thus two openssh servers running. They are not full fledged servers just desktop machines running ssh servers. My multiple versions of PCLinuxOS with different users is in reality just myself. I had to set it up with different user names for my /home partition so I could try out different PCLinuxOS versions without messing each installation up. Becoming root is no problem then. If I get this connection working I'll move to X11 forwarding later.
The dyndns hostnames are being used by each of us since our isp's use dynamic ip addressing. To connect to the other parties Linux install running the openssh server I would like to point my openssh client to their dyndns hostname.
Thanks for the info. I think from this I can get this going. Since I'm the lone physical user I can copy the keys between the accounts I created making sure permissions and ownership are correct as root.

[kjpetrie]

Don't apologise. What you're doing is good.

The only problem I can foresee is a security one. An open SSH port on the Internet attracts automated log-in scripts which will try to find an active account and guess the password. They can send several requests a second. This both eats the person's bandwidth and threatens their security if after several months they manage to gain access. You might want to consider firewall rules (iptables) carefully to make sure ssh will only be accepted from your ISP and even then a script monitoring auth.log and banning IP addresses that try to log-in too many times might be worth considering.

X forwarding is fine over LANs but can be intolerably slow over the Internet. You might want to consider other techniques if you don't want to rely on CLI.

Anyway. Hope it works out. There are people here if you need help.

[present_arms]

If I understand correctly it shouldn't matter what flavour of pclos you are using I log in like ssh -l <user name on remote> ip address> that should work too so just a different ssh session  for each of the machines you are logging in to, if you want to forward X use the -CX as it is a lot faster for x forwarding so for example to log in to my g/fs machine with a username of "mary" for instance it's "ssh -CX -l mary 192.168.1.3" no quotes, I hope this helps some

[Phantom Lobell]

I realize security can become an issue, but I'd like to make sure the connection between clients and servers works first before moving on to deal with security. One step at a time since I'm dealing with a distant end user who a short time ago didn't know what a terminal was. I have their login info (which was sent via GnuPG)
I plan on using the DenyUsers, AllowUsers,DenyGroups,AllowGroups rules, changing the default port from 22, not permitting root login, adding the hostname to the ssh_config file, sshutout or equivalent to watch repeated failed ssh login attempts, but first I want to make sure the connection works, then add the security measures one at a time then attempt a successful ssh login, add another security measure, check for ssh login again etc. If I can't get past the first hurdle no point in trying the next. By changing one security measure at a time, if I can't login remotely at least I'll know what security measure is causing the problem.
If things work after implementing all the above for CLI, I'd like to attempt nomachines' programs for X11 forwarding. Yes, I realize the free version only allows a small number of connections but it's sufficient for this case.
On first connection attempt when you get the authenticity of host can't be established the fingerprint is etc etc etc. Where is that key found on the remote machine? Is it the one in /etc/ssh/ssh_host_rsa_key or is it /etc/ssh/ssh_host_rsa_key.pub? (if using rsa keys) or is it in the ~/.ssh/known_host file? If I contact the remote machines party and ask them to send me the output of the command
ssh-keygen -l -f /correct/path/to/file
in an encrypted Gnupg E-Mail would that work to get the fingerprint of the openssh server? I'm trying to avoid blindly answering yes to the prompt on the first connection attempt.
What is the difference between the ssh_host_rsa_key file and the ~/.ssh/known_host file?