Subject: | |
From: | |
Reply To: | |
Date: | Mon, 12 Mar 2012 00:16:24 +0100 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hi Anne
On 03/11/2012 06:24 PM, Anne Wilson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In the past I have regularly done updates on my server using ssh
> access from this laptop. I can no longer do this. It may be
> connected with the fact that I installed keychain on both the server
> and the laptop?
>
> However - strict-checking is set to "ask" which seems to be the
> default. I get
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> e7:69:b4:4a:b3:31:39:c3:44:42:0a:b5:42:99:de:13.
> Please contact your system administrator.
> Add correct host key in /home/anne/.ssh/known_hosts to get rid of this
> message.
> Offending key in /home/anne/.ssh/known_hosts:3
> RSA host key for 192.168.0.40 has changed and you have requested
> strict checking.
> Host key verification failed.
>
> On the server I used ssh-keygen to list the fingerprint, and it
> matches the above.
the question is, where does this new host key come from? Did you create
a new host key? Did you delete the host key on the server and restart
sshd? Did you reinstall your server?
> I then copied the rsa public key into
> ~/.ssh/known_hosts, but I still can't get any further.
>
> I have tried removing the key so that there no longer is an entry
> known_hosts:3
That means line 3 of /home/anne/.ssh/known_hosts is the problem. Please
check that line in the known_hosts file and remove it.
> in the hope that it would ask me to verify, as it used
> to. When that didn't work, I replaced the key but then tried changing
> strict-checking temporarily to "no" (it's changed back now), again,
> hoping that it would allow me to verify the key.
>
> What steps have I missed? Are changes personal (i.e. re-read at
> login)
~/.ssh/known_hosts and /etc/ssh/ssh_known_hosts are re-read at every
invocation of ssh.
>or do they require a reboot?
Never.
> Should I be making changes to
> ~/.ssh or /etc/ssh files or both?
Putting the public ssh host key of a remote server into
/etc/ssh/ssh_known_hosts will provide all users of your system with the
host keys to compare when they login to the remote server. Of course you
should always verify the authenticity of the public key (if at all
possible) before you add it!
Hope that helps.
Cheers,
Andreas
|
|
|