LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Ssh access problems
From:	Andreas Petzold <[log in to unmask]>
Reply To:	Andreas Petzold <[log in to unmask]>
Date:	Mon, 12 Mar 2012 00:16:24 +0100
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2599 bytes) , smime.p7s (5 kB)

	Hi Anne

On 03/11/2012 06:24 PM, Anne Wilson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In the past I have regularly done updates on my server using ssh
> access from this laptop.  I can no longer do this.  It may be
> connected with the fact that I installed keychain on both the server
> and the laptop?
>
> However - strict-checking is set to "ask" which seems to be the
> default.  I get
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> e7:69:b4:4a:b3:31:39:c3:44:42:0a:b5:42:99:de:13.
> Please contact your system administrator.
> Add correct host key in /home/anne/.ssh/known_hosts to get rid of this
> message.
> Offending key in /home/anne/.ssh/known_hosts:3
> RSA host key for 192.168.0.40 has changed and you have requested
> strict checking.
> Host key verification failed.
>
> On the server I used ssh-keygen to list the fingerprint, and it
> matches the above.

the question is, where does this new host key come from? Did you create 
a new host key? Did you delete the host key on the server and restart 
sshd? Did you reinstall your server?

> I then copied the rsa public key into
> ~/.ssh/known_hosts, but I still can't get any further.
>
> I have tried removing the key so that there no longer is an entry
> known_hosts:3

That means line 3 of /home/anne/.ssh/known_hosts is the problem. Please 
check that line in the known_hosts file and remove it.

> in the hope that it would ask me to verify, as it used
> to.  When that didn't work, I replaced the key but then tried changing
> strict-checking temporarily to "no" (it's changed back now), again,
> hoping that it would allow me to verify the key.
>
> What steps have I missed?  Are changes personal (i.e. re-read at
> login)

~/.ssh/known_hosts and /etc/ssh/ssh_known_hosts are re-read at every 
invocation of ssh.

>or do they require a reboot?

Never.

> Should I be making changes to
> ~/.ssh or /etc/ssh files or both?

Putting the public ssh host key of a remote server into 
/etc/ssh/ssh_known_hosts will provide all users of your system with the 
host keys to compare when they login to the remote server. Of course you 
should always verify the authenticity of the public key (if at all 
possible) before you add it!

Hope that helps.

	Cheers,

		Andreas

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV