Have tried to remove your .known_hosts file?
lisa
On 2/29/16 1:50 PM, Stefan Piperov wrote:
>
> Hi Lisa,
>
> Yes, I see that the second group of login nodes now presents a new key:
>
> The fingerprint for the RSA key sent by the remote host is
> 69:5e:93:37:39:4e:cc:e7:78:cb:07:46:5f:e2:ce:e3
>
> but is it still different from the key for the first group.
>
> So - a step in the right direction, but the two groups are not
> synchronized just yet.
>
> Stefan.
>
> On Mon, 29 Feb 2016, Lisa Giacchetti wrote:
>
>> Hi Stefan and others,
>> I have checked the nodes involved and there was a problem with one
>> of the key files not being updated on cmslpc29-32 and cmslpc40. I
>> have fixed that.
>> Can you confirm that its better? ( I would but I never see these
>> spoofing warnings for some reason).
>>
>> lisa
>>
>> On 2/29/16 10:56 AM, Jesus Orduna wrote:
>>> Thanks Stefan,
>>>
>>> Experts will look into that.
>>>
>>>
>>> Jesus
>>>
>>> > On Feb 29, 2016, at 10:23 AM, Stefan Piperov <[log in to unmask]>
>>> wrote:
>>> > > > I just wanted to provide this feedback on the Round-Robin SSH
>>> service of > CMSLPC, because I believe that there is still a
>>> problem there.
>>> > > With the following SSH client configuration on a SL6 machine:
>>> > > Host 131.225.* *.fnal.gov
>>> > GSSAPIAuthentication yes
>>> > GSSAPIDelegateCredentials yes
>>> > GSSAPITrustDNS yes
>>> > ForwardX11 yes
>>> > ForwardX11Trusted yes
>>> > > > I clearly see two groups of login nodes (see attached lists),
>>> with two > distinct SSH keys, which - when cached in
>>> ~/.ssh/known_hosts cause only > one of the two groups of login
>>> nodes to allow connections, while the > other group gets rejected
>>> with the familiar error message below.
>>> > > Can someone at Fermi/LPC have a look and make sure that all
>>> login nodes > provide the same ssh key, please?
>>> > > Cheers,
>>> > Stefan.
>>> > > >
>>> =========================================================================
>>> > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >
>>> @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > The
>>> RSA host key for cmslpc-sl6.fnal.gov has changed,
>>> > and the key for the corresponding IP address 131.225.190.54
>>> > is unknown. This could either mean that
>>> > DNS SPOOFING is happening or the IP address for the host
>>> > and its host key have changed at the same time.
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >
>>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>>> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT
>>> IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>> > Someone could be eavesdropping on you right now
>>> (man-in-the-middle > attack)!
>>> > It is also possible that the RSA host key has just been changed.
>>> > > > <CMSLPC-Roundobin.txt>
>>
|