I get this error while doing and ssh from solaris to linux box.
The hostname is an alias added in DNS for round robin connections.

How can i resolve this issue permenantly, without any switch being used along with SSH.


XXXXX{XXX}41:ssh XXXXX
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for XXXXX has changed,
and the key for the according IP address XXXXXXXXXX
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/XXXX/.ssh/known_hosts:18
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
44:d1:41:17:04:d5:2b:ea:0c:2b:da:3d:87:85:5e:2a.
Please contact your system administrator.
Add correct host key in /home/XXXX/.ssh/known_hosts to get rid of this message.
Offending key in /home/XXXXX/.ssh/known_hosts:19
RSA host key for XXXXX has changed and you have requested strict checking.
Host key verification failed.


Thanks in advance
Ash

It tells you:

If you are SURE that the destination is the one you expect then you should edit that file and delete the entry it already has for the remote host.

This occurs on occasion when:
1) You've replaced a server with another one - the new key will be different.
2) The OS has been reloaded or upgraded on the remote host so a new key was generated.
3) Someone changed the key on the remote host for some reason.

However BEFORE you make the change you should try to determine if any of the above did occur or if there was some other KNOWN reason for the change. The reason you get such an ugly warning is that hackers sometimes setup servers that pretend to be the ones you expect so they can track the login/password you used. That lets them hack into the real server you were trying to reach using your userID and password.

If you wanna bypass that, just open up the .ssh/known_hosts file in a text editor like nano or vi, and just remove line 18 in your case.
You'll be prompted to accept the new key and that's it.
Usually, it's wise to investigate the key change because, as the previous poster explained, it could mean a security hole.

Thanks for the replies,

I agree to the explaination , actually as i mentioned I am using an alias name with DNS Round Robin say as example below :

Alias -- points to --> A B C D (on DNS)

Now everytime i do $ssh Alias ; it will take me to a new host(either host A or B or C or D)(RoundRobin Feature), I know because of this I am getting the error. I do not want to edit and delete the known_hosts file everytime, its ok for one chance though, so is there any permenant solution so that it may not happen in the scenario as mentioned above?

Thanks,
Ash

OK - didn't realize you were doing round robin to 4 different systems.

The way to cause this to work is to have all 4 of the systems (A,B,C,D) have the same ssh key information. You can do that simply by copying the $HOME/.ssh directory from 1 of the 4 servers to the other 3. (I'm assuming your target user on all 4 servers is the same.)

That way whichever one you connect to will report the same key information you have in known_hosts on your source machine.

Probably do not use a round robin name, but a one that is fixed and does not involve round robin.

(or add the round robin names at the start of the .ssh/knowhosts on the client)
name1,name2,name3,name4 ssh-rsa AAAAB3NzaC1y......

Hi.

Actually that is my requirement of using a roundrobin name so that we do not need to remember the group of servers at backend ... :-(

About name1,name2,name3,name4 ssh-rsa AAAAB3NzaC1y...... , I will try it, though i thought every host would have a seperate entry, isnt it ?

Tx
Ash

I think you don't need to duplicate. I made a simple test (I don't have rrDNS so I used localhost)
Before I had this in my known_hosts:
zeus,192.168.1.1 ssh-rsa blablaba

ssh zeus
ssh 192.168.1.1
worked without pub/private key
but not ssh localhost

So I modified the known_hosts like this:
zeus,192.168.1.1,localhost ssh-rsa blablaba

And now
ssh localhost works without pub/private key

So.. it could work for you too, just add all your names there.

Funny you ignored what I wrote. Good luck in your computing.

@ jlightner : sorry i mistakenly skipped your message ..
@ nx5000 : thanks for the tests..

I will try what you all have said and get back to you.

Once again thanks all for your efforts on this issue.

Rgds,
Ash

Fairly certain just copying $HOME/.ssh is not going to work. The host key is in /etc/ssh. You'd have to put the same hostkey on each server.

PS I believe invoking ssh with -o CheckHostIP=no will get rid of the error. If it does, you can add it to $HOME/.ssh/config to suppress the error for those hosts in the future:

1 members found this post helpful.

Chort.. this seems intereting, yes when i do a CheckHostIP=no then it does work.... can we make any such entry in the ssh client file i.e /etc/ssh/ssh_config so that by defaul if anyone gives the ssh command from thier host, it picks the -o automatically ???

Thx alot.
Ash

I believe the syntax for $HOME/.ssh/config is also valid for the global file (/etc/ssh/ssh_config).

Make sure you only set it within the Host section, though. If you just disable it globally you pretty much defeat 90% of the security of ssh.

Perfect Chort !!

@jlightner
@simonapnic
@nx5000
@chort
Thanks everyone for your time on this issue.

I think I am pretty close now.

Rgds,
Ash