Re: ssh fingerprint mismatch for one single client
On 2020-09-19 15:42, Beco wrote:
On Sat, 19 Sep 2020 at 18:55, mick crane <mick.crane@gmail.com> wrote:
Student can connect via the mobile network but not through the ISP
router?
Might that be the port for ssh on the router ?
Yes, student can connect via mobile.
And, somewhat "yes", student can kind of connect via ISP. It is not that
the port is blocking traffic.
The fingerprint appears, and if accepted the wrong one, the password is
asked for.
But then, of course, the connection fail.
First, disable Bob's account until later (see below).
Second, assess if your server(s) and/or network(s) have been compromised.
Third, tighten security.
Related to this incident, set up an unprivileged account for yourself,
install your authorized_keys file, make sure you can login to your
account via public key authentication, and make sure you can su(1) to
root or use sudo(8) to get a root shell. Then edit sshd_config(5) so
that unprivileged users log in with SSH public keys and the root user
cannot log in:
PasswordAuthentication no
PermitRootLogin no
Restart sshd for the settings to take effect:
# service sshd restart
# service sshd status
Your students will need to send you their authorized_keys files and you
will need to install those files for the students to log in. Passwords
will no longer be required nor accepted. If a fingerprint does not
match and a student tries to login anyway, their account and your server
will not be compromised. Enable Bob's account.
Security is an endless topic. Please post if you have questions or need
more ideas.
David
Reply to: