LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-17-2012, 09:46 AM   #1
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 224

Rep: Reputation: 9

Hello,

I am having this issue regarding at one of our servers. Let me give a little insight on it, i was trying to do ssh to one of our linux server and i was presnted with the following error which i am totally aware of and fully undertands it.
Quote:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that the RSA host key has just been changed.The fingerprint for the RSA key sent by the remote host is23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7.Please contact your system administrator.Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.Offending key in /home/user/.ssh/known_hosts:8RSA host key for example.com has changed and you have requested strict checking.Host key verification failed.
So i tried with the options i thought,

1. First i deleted the entry for this server from my known_hosts file on client and then tried the ssh so that its a new connection. But to my surprise the server is not offering the Public HOst Key to accept but is asking for root password for the server.

2. I also tried by setting the StrictHostKeyChecking option to no but even that also did not work.

So my questions here

a) Why server is not offering the new Public Key and asking me "If you want to continue(yes/no)".

b) Afetr removing the server Public Key from known_hosts file it starts asking for password but if the server Public Key is not removed then it does not ask for password. So if I understand correctly known_hosts file has nothing to with password less authentication.

Any help would be greatly appreciated !!

How does SSH client verifies the Server's identity for the very first time before it has been added to known_hosts file.Sorry to say that it might sound little stupid but it is troubling me alot and i have not been able to find the correct precise answer even after intense googling.

What i mean to ask is that how exactly a client comes to know that to the SSH server it has initiated connection is what it says it is. A Man in the Middle system can impersonate the actual SSH server and present its own public key to the client and then client will add it to its known_hosts list.

I know it might sound bit silly or stupid but i am having hard in figuring out How exactly a SSH cleint verifies the SSH server's identity for the very first time when it initiates the connection before it has already added the entry to its known_hosts file.

I have done quite intense googling but i have not still found a precise satisfactory answer, so if someone can please tell me how exactly the clinet comes to know that it is indeed talking to the server to whom it should.

Last edited by unSpawn; 10-18-2012 at 11:51 AM. Reason: //merge threads again
 
Old 10-17-2012, 11:01 AM   #2
torchnw
LQ Newbie
 
Registered: Jun 2008
Distribution: Ubuntu, Debian, Mint, Fedora, Arch
Posts: 23

Rep: Reputation: 4
a) Don't know, but try renaming known_hosts temporarily, in case another entry is causing problems

b) For passwordless login, the public key of the client must be stored in ~/.ssh/authorized_keys for the user you're logging in as on the server.
 
Old 10-18-2012, 04:30 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
it puts the onus on you. By default, you need to manually accept the identity key the server provides. There's clearly no formal basis for knowing a server is legit (compared to trusted root CAs in the HTTPS world) so you have to arbitrarily draw a line yourself by saying you trust them on the first connect.
 
Old 10-18-2012, 09:45 AM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
The message means exactly what it says, and you should treat it seriously. Each ssh host generates a random string which is its calling-card, and it stores this in .ssh/known_hosts. (Not authorized_keys, which is part of RSA-key based authentication.)

Unless there is a damm good reason why the key is changed, there might be a "man in the middle."

It could be innocuous, it could be explainable, it could be innocent. But there's a reason why SSH is screaming at you about this, and you should heed it. A loud bell has gone off. Don't silence it: find out why it is ringing. (That's what it's there for.)
 
Old 10-18-2012, 11:00 AM   #5
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 224

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by sundialsvcs View Post
The message means exactly what it says, and you should treat it seriously. Each ssh host generates a random string which is its calling-card, and it stores this in .ssh/known_hosts. (Not authorized_keys, which is part of RSA-key based authentication.)

Unless there is a damm good reason why the key is changed, there might be a "man in the middle."

It could be innocuous, it could be explainable, it could be innocent. But there's a reason why SSH is screaming at you about this, and you should heed it. A loud bell has gone off. Don't silence it: find out why it is ringing. (That's what it's there for.)
I understand that, but all i am asking is that why i am not being offered the new host key by the server. And why server asks for password if i remove the key from known_hosts file and not when the entry is there in known_hosts file.
 
Old 10-19-2012, 11:31 AM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
I think that the designers didn't want to make it that easy.

I presume that you also have an authorized-keys entry which permits password-free login. My understanding is that the keys are tied to the originating host.
 
Old 03-15-2013, 11:10 AM   #7
gopa
LQ Newbie
 
Registered: Aug 2011
Posts: 13

Rep: Reputation: Disabled
SSH Issue - REMOTE HOST IDENTIFICATION HAS CHANGED! Reply to Thread

Try using the below command

# ssh-keygen -R {server-ip-address}

#service network restart

Now try to connect to Remote host.. you will be succeeded.
 
Old 03-15-2013, 01:26 PM   #8
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,105

Rep: Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720
Quote:
Originally Posted by gopa View Post
Try using the below command

# ssh-keygen -R {server-ip-address}
#service network restart

Now try to connect to Remote host.. you will be succeeded.
Sorry, neither of those steps will resolve that issue. The issue arises because the IP address/credentials of one of the servers changed, so the entry in "known_hosts" is different. All you need to do is remove it from known_hosts, and the new entry will be added. The steps you are taking won't matter, since you are generating a new key (which you don't need), and restarting networking (which won't matter).

Please don't post advice that's incorrect/misleading, and don't re-open old threads to do it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Host Identification Has Changed Iron Rose Linux - Newbie 1 03-31-2009 09:51 PM
Remote Host Identification Has Changed centos82 Linux - Newbie 4 11-10-2008 12:00 AM
Warning: Remote Host Identification Has Changed! yogesh619 Linux - Newbie 1 08-21-2008 09:41 AM
Warning: Remote Host Identification Has Changed! kkeith Linux - Newbie 1 08-24-2006 02:13 AM
ssh "remote host identification has changed" dave`2005 Slackware 3 06-23-2006 04:21 PM


All times are GMT -5. The time now is 04:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration