LISTSERV - CMS_UAF_USERS Archives

CMS_UAF_USERS Archives

February 2016, Week 5

CMS_UAF_USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	CMS_UAF_USERS Home
	CMS_UAF_USERS February 2016, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Some feedback on (Problem in logging in to LPC)
From:	Lisa Giacchetti <[log in to unmask]>
Reply To:	Lisa Giacchetti <[log in to unmask]>
Date:	Mon, 29 Feb 2016 14:34:40 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (80 lines)

Have tried to remove your .known_hosts file?

lisa

On 2/29/16 1:50 PM, Stefan Piperov wrote:
>
> Hi Lisa,
>
> Yes, I see that the second group of login nodes now presents a new key:
>
> The fingerprint for the RSA key sent by the remote host is
> 69:5e:93:37:39:4e:cc:e7:78:cb:07:46:5f:e2:ce:e3
>
> but is it still different from the key for the first group.
>
> So - a step in the right direction, but the two groups are not 
> synchronized just yet.
>
> Stefan.
>
> On Mon, 29 Feb 2016, Lisa Giacchetti wrote:
>
>> Hi Stefan and others,
>>  I have checked the nodes involved and there was a problem with one 
>> of the key files not being updated on cmslpc29-32 and cmslpc40. I 
>> have fixed that.
>>  Can you confirm that its better? ( I would but I never see these 
>> spoofing warnings for some reason).
>>
>> lisa
>>
>> On 2/29/16 10:56 AM, Jesus Orduna wrote:
>>>  Thanks Stefan,
>>>
>>>  Experts will look into that.
>>>
>>>
>>>  Jesus
>>>
>>> >  On Feb 29, 2016, at 10:23 AM, Stefan Piperov <[log in to unmask]> 
>>> wrote:
>>> > > >  I just wanted to provide this feedback on the Round-Robin SSH 
>>> service of >  CMSLPC, because I believe that there is still a 
>>> problem there.
>>> > >  With the following SSH client configuration on a SL6 machine:
>>> > >  Host 131.225.* *.fnal.gov
>>> >          GSSAPIAuthentication yes
>>> >          GSSAPIDelegateCredentials yes
>>> >          GSSAPITrustDNS yes
>>> >          ForwardX11 yes
>>> >          ForwardX11Trusted yes
>>> > > >  I clearly see two groups of login nodes (see attached lists), 
>>> with two >  distinct SSH keys, which - when cached in 
>>> ~/.ssh/known_hosts cause only >  one of the two groups of login 
>>> nodes to allow connections, while the >  other group gets rejected 
>>> with the familiar error message below.
>>> > >  Can someone at Fermi/LPC have a look and make sure that all 
>>> login nodes >  provide the same ssh key, please?
>>> > >  Cheers,
>>> >  Stefan.
>>> > > > 
>>> =========================================================================
>>> > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > 
>>> @        WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >  The 
>>> RSA host key for cmslpc-sl6.fnal.gov has changed,
>>> >  and the key for the corresponding IP address 131.225.190.54
>>> >  is unknown. This could either mean that
>>> >  DNS SPOOFING is happening or the IP address for the host
>>> >  and its host key have changed at the same time.
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > 
>>> @     WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >  IT 
>>> IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>> >  Someone could be eavesdropping on you right now 
>>> (man-in-the-middle >  attack)!
>>> >  It is also possible that the RSA host key has just been changed.
>>> > > >  <CMSLPC-Roundobin.txt>
>>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV