LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-04-2003, 11:51 AM   #1
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Rep: Reputation: 45
ssh rsa key changed after upgrade


Just upgraded Solaris 8 to 9.
Now, when I try to ssh in from a linux box I am getting:
Quote:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn.
Please contact your system administrator.
Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.
Offending key in /home/user1/.ssh/known_hosts:2
RSA host key for thisbox.thisdomain.com has changed and you have requested strict checking.
Host key verification failed.
(actual key and domain changed to protect the innocent. )

I am not familiar with the rsa key stuff.
I can't contact the admin, for I am he.
How do I: Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.

Also, I see that it says: Offending key in /home/user1/.ssh/known_hosts:2
But I don't know what to do about it.

Thanks for any help.

Last edited by itsjustme; 11-04-2003 at 11:53 AM.
 
Old 11-04-2003, 12:21 PM   #2
HappyTux
Senior Member
 
Registered: Mar 2003
Location: Nova Scotia, Canada
Distribution: Debian AMD64
Posts: 3,513

Rep: Reputation: 63
Re: ssh rsa key changed after upgrade

Quote:
Originally posted by itsjustme
Just upgraded Solaris 8 to 9.
Now, when I try to ssh in from a linux box I am getting:

(actual key and domain changed to protect the innocent. )

I am not familiar with the rsa key stuff.
I can't contact the admin, for I am he.
How do I: Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.

Also, I see that it says: Offending key in /home/user1/.ssh/known_hosts:2
But I don't know what to do about it.

Thanks for any help.
Edit the file /home/user1/.ssh/known_host with your favorite editor and remove the key. The keys have the format of:

Code:
192.168.0.1 ssh-rsa DFASDFhuiorj0fladsfkljlkjdsfknjasGDSGKirotmasdf#$%9sfnn
fjklasjfosafjoiweruwqejr......
Delete the second one next time you log in with ssh it will ask you if you want to import the key for the unknown host say yes and it will import the key and work.
 
Old 11-04-2003, 12:39 PM   #3
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
OK, the known_hosts file only had 2 lines, both for the same box, one by IP and one by domain name.
So, I simply renamed (as opposed to deleted, for now) the known_hosts file and tried again.
This time, along with a new known_hosts file, I get:
Quote:
[user1@linux user1]$ ssh thisbox.thisdomain.com -l root
The authenticity of host 'thisbox.thisdomain.com (nn.nn.nn.nn)' can't be established.
RSA key fingerprint is nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'thisbox.thisdomain.com,nn.nn.nn.nn' (RSA) to the list
of known hosts.
root@thesolarisbox.thisdomain.com's password:
Permission denied, please try again.
root@thesolarisbox.thisdomain.com's password:
I know the password is correct? What else do I need to do to get past this?

Thanks for the reply.
 
Old 11-04-2003, 01:05 PM   #4
HappyTux
Senior Member
 
Registered: Mar 2003
Location: Nova Scotia, Canada
Distribution: Debian AMD64
Posts: 3,513

Rep: Reputation: 63
Quote:
Originally posted by itsjustme
OK, the known_hosts file only had 2 lines, both for the same box, one by IP and one by domain name.
So, I simply renamed (as opposed to deleted, for now) the known_hosts file and tried again.
This time, along with a new known_hosts file, I get:


I know the password is correct? What else do I need to do to get past this?

Thanks for the reply.
Well since you have strict host checking turned on you most likely have the no ROOT login turned on as well, try logining in as a normal user on the machine (you do have a normal user account on the box right?) then su to get to root which is the recommended way to do things anyway.
 
Old 11-04-2003, 02:10 PM   #5
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
Actually, I don't have a user id on the machine. I am using root from a machine right next to the solaris box in the network closet. Other people do have accounts, and they aren't going to be able to ssh in until I find out how to resolve this issue. One guy has already reported that he can't ssh in from his windows machine.

Possibly, that strict restriction was set to 'no' before the upgrade and possibly I need to figure out how to turn that off. Or, it was set to be strict and then I have to figure out why I am getting the permission denied now.
Before the upgrade, this worked:
[user1@linux user1]$ ssh thisbox.thisdomain.com -l root

So, how do I get the above line to work again without a permission denied?

Thanks!
 
Old 11-04-2003, 03:29 PM   #6
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
If I type in the root password 3 times, the third permission denied message looks like this:

Permission denied (publickey,password).

Is this now looking for something more than a password? If it is looking for a publickey entry of some sort to be typed in, then I need to turn that off, apparently, since I didn't get this before.

Right? Wrong?

Thanks..
 
Old 11-04-2003, 07:56 PM   #7
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
I found the /etc/ssh/sshd_config file and PermitRootLogin was set to no.
After I went into my local $HOME/.ssh/known_hosts and deleted the previous line for thesolarisbox.thisdomain.com, I set PermitRootLogin to yes and was able to log in. I am new to this and appreciate the input. I created myself another userid so I can set that back to no. The new user had no rsa key problems.

Now, I have a user who is trying to login from a Windows machine using ssh via SecureCRT. Something he did freely before the solaris upgrade. I believe he also got the big warning about host identification changing. Apparently he was able to do the windows equivalent of deleting the rsa line from the known_hosts file. (What is that by the way, if you know?) But, he is still unable to login. He still gets some RSA authentication error of some sort. I'll have to double check that tomorrow at the office.
Is there a method, or something, to follow to get ssh going after an upgrade changes things? Especially tasks to do for the current users, either from the ssh server machine or from each client machine, linux, Solaris, and Windows?

Thanks...
 
Old 11-04-2003, 09:01 PM   #8
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
this is what i do when when the ssh key changed.
vi known_host2, and deleted the file content, save it and let it an empty.
do the ssh again.
 
Old 11-04-2003, 09:08 PM   #9
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
Yeah, I did the modification to known_hosts on my linux box, as I stated in my post.

I need to know what a windows user, using SecureCRT, or some other ssh client app, needs to do.
 
Old 11-04-2003, 09:11 PM   #10
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
in my case, the windows user didn't do anything in their part, just redo the ssh again with the ssh client such putty and everything going smoothly.
Try it, there is nothing to lose.
 
Old 11-05-2003, 09:27 AM   #11
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
Quote:
the windows user didn't do anything in their part
Wel, I'm happy for them.

Anybody else have some ideas regarding this ssh issue for me.

Thanks.
 
Old 11-06-2003, 09:12 AM   #12
itsjustme
Senior Member
 
Registered: Mar 2003
Location: Earth
Distribution: Slackware, Ubuntu, Smoothwall
Posts: 1,571

Original Poster
Rep: Reputation: 45
Ok, the windows user deleted his local profile and and now he is able to ssh back in with a newly created profile.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Which is better RSA or DSA public key? tarballedtux Linux - Security 12 02-03-2009 06:15 AM
failed ssh RSA key authentication jdarren Linux - Networking 15 07-06-2008 10:25 AM
RSA host key for 172.17.5.60 has changed ssharma_02 Red Hat 3 11-15-2006 09:55 AM
ssh RSA key thanat0s Linux - Security 3 09-29-2003 09:51 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 05:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration