Home » Oracle » 1z0-821 » Which two are true?
User jack logs in to host solaris and then attempts to log in to host oracle using ssh. He receives the following error message:
The authenticity of host oracle (192.168.1.22) can’t be established. RSA key fingerprint is 3B:23:a5:6d:ad:a5:76:83:9c:c3:c4:55:a5:18:98:a6
Are you sure you want to continue connecting (yes/no)?
Which two are true?
A. The public host key supplied by solaria is not known to the host oracle.
B. The error would not occur if the RSA key fingerprint shown in the error message was added to the /etc/ssh/known_hosts file on solaris.
C. The private host key supplied by oracle is not known to solaris.
D. If jack answers yes, the RSA public key for the host oracle will be added to the known_hosts file for the user jack.
E. The public host key supplied by oracle is not known to the host solaris.
Correct Answer: BD
Explanation/Reference:
Explanation:
The fingerprints are used to guard against man in the middle attacks. Since ssh logins usually work over the internet (an insecure connection), someone could hijack your connection. When you try to log into yourmachine.com, he could get "in the middle" and return your challenge as if he was yourmachine.com. That way, he could get hold of your login password.
To make this attack harder, ssh stores the fingerprint of the server’s public key on the first connection attempt. You will see a prompt like:
The authenticity of host ‘eisen (137.43.366.64)’ can’t be established.
RSA key fingerprint is cf:55:30:31:7f:f0:c4:a0:9a:02:1d:1c:41:cf:63:cf.
Are you sure you want to continue connecting (yes/no)
When you enter yes, ssh will add the fingerprint to your known_hosts file. you will see
Code:
Warning: Permanently added ‘eisen, 137.43.366.64’ (RSA) to the list of known hosts.
The next time you login, ssh will check whether the host key has changed. A changing host key usually indicates a man in the middle attack, and ssh refuses to connect.
|
Download Printable PDF. VALID exam to help you PASS.
|
 |
Correct answers:
D, if you hit yes..then the oracle ssh_host_rsa_key.pub is added to your user .ssh/known_hosts file.
E, if the oracle ssh_host_rsa_key.pub would have already been in /etc/ssh/ssh_known_users file, then you wouldn’t have been prompted for the RSA fingerprint.
Now, B could also be correct if they’d replace RSA keyfingerprint with HOST RSA Public Key.
and E is also unfortunately phrased since what oracle supplies in that message is the RSA keyfingeprint.
==============
Who labeled the initial answers as correct? is it the system who gives the certification, or is just a person who took the test?
Sorry mistake :
cat known-hosts # see for yourself that fingerprint is not saved, the srv private key is
not srv private key but its public key that is. Private keys are not (and should not) leave the server ora application they are intended for!
B – is absolutely wrong, the key fingerprint from the error is some sort of hash of a remote server public key.
You can reproduce test it like this:
mv known-hosts known.hosts.bck # move away your known host file containing existing/known server keys.
ssh user@localhost # accept the localhost host key
cat known-hosts # see for yourself that fingerprint is not saved, the srv private key is
ssh-keygen -l -f known-hosts # verify that you get the same fingerprint as accepted above in ssh session
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub # see (by the fingerprint) that it is exactly the same key you got while connecting with SSH.
========
so the correct answers should be DE,
since if you add the host oracle public key to the solaris:/etc/ssh/ssh_known_hosts in appropriate format ( just like user known_hosts) it will not prompt to accept the key for every user connecting first time to host oracle.