2014-03-13

SSH Key Magic for pkgs and fedorahosted (or how to not cause false logins)

So every couple of hours, I check the Fedora Project's servers logs to see if we have had failed logins, bad logins, etc. Sometimes people decide that they really really want to see if they can log in as someone else using '123456' or something. Its all fun and games until your atmosphere gets sucked into space (or something). One of the problems I see a lot though is that developers may get denials getting into fedorahosted.org or pkgs.fedoraproject.org due to the fact that they have multiple SSH public private keys.

Unless told otherwise, most ssh clients do not have a heuristic to know which public/private key to use for which site.. and so will have to play 20 questions to see if any of them work. If you have a lot of keys, this can result in you being denied access because your client tried 4 keys and didn't get the right one. Those 4 keys might get logged as seperate failed attempts which can make it look like someone is trying to break into an account, and then I need to send an email to make sure it was X really trying to log into fedorahosted.org at 4 am in the morning.

There is a way to avoid this problem by editing your .ssh/config file to know the appropriate key for each server (or set of servers). I use a variant of the following to cut down the problems.



Host  *.fedorahosted.org *fedorapeople.org *.fedoraproject.org
    User X
    IdentityFile ~/.ssh/id_fedora_rsa.pub
ForwardAgent no ForwardX11 no Port 22 KeepAlive yes HashKnownHosts no GSSAPIAuthentication no VerifyHostKeyDNS yes ControlMaster no

To explain the lines:

  1. The Host configuration option says for the following hosts the following settings are to be used.
  2. Set the account name to X. [EG change this to match the account you use.
  3. Use the specific public key in this file for this system. This is actually the most important line and should cut down the failed attempts per user.
  4. Do not forward my ssh credentials. I do this to cut off possible forwarding attacks where an malevolent host can leapfrog to other machines that id_fedora_rsa would be trusted.
  5. Do not forward X11. The boxes I log into don't normally run X11 so this is more about cutting down a "hey can I run X11?" question from my client to the server.
  6. Use port 22. I am being pedantic here because I have it set to other ports for some other boxes in my .ssh/config.
  7. KeepAlive is turned on because I am on wireless and sometime things quit talking.
  8. Don't hash my known hosts.. mainly because I find I need to read where I have been as much as someone who might break into my account.
  9. None of these systems use kerberos so turning off GSSAPI means its anotehr set of "Hey can I?" questions not asked during login.
  10. If possible verify the hosts public key in ssh. Not really useful without a signed DNS.. but someday :).
  11. Don't use controlmaster for this host. Multiplexing is good when you need it, but I don't generally need it. I have it here as another 'Can I?' which may slow down login for some connections.
Anyway, if you connect up your hosts with your keys, you can make sure your client isn't trying to authenticate your Fedora account with your GNOME, KDE, School, Home, etc etc keys.

Fell off the Internet.

Well that was fun and exciting.. I fell off the Internet for 8 months. Nothing broken, just a bunch of little things which took up my time.


  1. CentOS and Red Hat are now co-habitating. This was a project that came out of the blue early last summer and I was told to treat with utmost secrecy. So that cut down what I could say about anything. 
  2. Dog attacks aren't fun. I had an unfortunate case where my dog and another dog got into a fight and I tried to break it up. Scariest 10 minutes of my life. I am glad I only got out of it with a couple of bites and no one else was hurt. That took much of November out of my life.
  3. If you are over 35 years old, get your flu shot. There are multiple versions of the flu which affect people over 35 much worse than people under that age. Also anti-viral drugs work better than I thought and I didn't come down with pneumonia versus the other people I knew who came down with this version.
  4. Losing a best friend takes a lot out of you. You are missed Seth.

Anyway, I am back and should have a couple of posts in me before I fall off the internet again.