#_ITandME blog

February 23, 2016

Hard Lessons with Key-based authentication


Last night I decided to blow away my personal laptop that was happily running CentOS in order to play with Ubuntu. So far I've been very happy with my decision...except for the loss of a few things; things like my gpg keys, which my password vault uses to secure all my SSH and personal passwords. oops...

So here I am with all my passwords safely locked away where I will never see them. On a whim I look into way of recovering GPG passwords. This by all accounts I read was laughably impossible by standard methods. That toasted most passwords to like my email or bank account, but what about my password to the webserver? Would my SSH keys still be useful? Would I ever be able to post again?!

Turns out not so much on the key account. As my machine had been rebuilt with new ssh keys generated, it had no memory of my server. I needed a machine that had previously pushed keys that had not changed. Here another problem arose; my public IP, which I used to connect over (too cheap for domain name), had changed...so the Known_Hosts file under .ssh would not recognize the "new" server fingerprint and would force me to authenticate with a password I couldn't produce.

At this point I had to get creative or else plan on recoverying my webserver from backup. My secondary had to have a good fingerprint afterall, at least one generated from my webserver in the past. All that really changed was the IP address at the front which SSH looks for...so I thought, what the heck, just change it to my new public IP on the fingerprint and give it another go.

Bingo. After updating my ssh config, I was able to SSH into my webserver using the old fingerprint initialized with the new public IP without needing to authenticate by password. Success! Now to change and backup the password...

Take-aways:
- Never. never. never. leave keys behind. Bad things happen...especially for key based auth machines...
- Always have them passwords somewhere you can get to them
- Known_host fingerprints are TOTALLY malleable. I don't know why but I always thought there was something magic about them that would made them tamper proof. Such is not the case, which proves again how physical access to a device is just scary.
- Finally...I still have so much to learn...