LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   ssh rsa key changed after upgrade (https://www.linuxquestions.org/questions/linux-general-1/ssh-rsa-key-changed-after-upgrade-112297/)

itsjustme 11-04-2003 12:51 PM

ssh rsa key changed after upgrade
 
Just upgraded Solaris 8 to 9.
Now, when I try to ssh in from a linux box I am getting:
Quote:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn.
Please contact your system administrator.
Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.
Offending key in /home/user1/.ssh/known_hosts:2
RSA host key for thisbox.thisdomain.com has changed and you have requested strict checking.
Host key verification failed.
(actual key and domain changed to protect the innocent. ;) )

I am not familiar with the rsa key stuff.
I can't contact the admin, for I am he. :eek:
How do I: Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.

Also, I see that it says: Offending key in /home/user1/.ssh/known_hosts:2
But I don't know what to do about it.

Thanks for any help.

HappyTux 11-04-2003 01:21 PM

Re: ssh rsa key changed after upgrade
 
Quote:

Originally posted by itsjustme
Just upgraded Solaris 8 to 9.
Now, when I try to ssh in from a linux box I am getting:

(actual key and domain changed to protect the innocent. ;) )

I am not familiar with the rsa key stuff.
I can't contact the admin, for I am he. :eek:
How do I: Add correct host key in /home/user1/.ssh/known_hosts to get rid of this message.

Also, I see that it says: Offending key in /home/user1/.ssh/known_hosts:2
But I don't know what to do about it.

Thanks for any help.

Edit the file /home/user1/.ssh/known_host with your favorite editor and remove the key. The keys have the format of:

Code:

192.168.0.1 ssh-rsa DFASDFhuiorj0fladsfkljlkjdsfknjasGDSGKirotmasdf#$%9sfnn
fjklasjfosafjoiweruwqejr......

Delete the second one next time you log in with ssh it will ask you if you want to import the key for the unknown host say yes and it will import the key and work.

itsjustme 11-04-2003 01:39 PM

OK, the known_hosts file only had 2 lines, both for the same box, one by IP and one by domain name.
So, I simply renamed (as opposed to deleted, for now) the known_hosts file and tried again.
This time, along with a new known_hosts file, I get:
Quote:

[user1@linux user1]$ ssh thisbox.thisdomain.com -l root
The authenticity of host 'thisbox.thisdomain.com (nn.nn.nn.nn)' can't be established.
RSA key fingerprint is nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'thisbox.thisdomain.com,nn.nn.nn.nn' (RSA) to the list
of known hosts.
root@thesolarisbox.thisdomain.com's password:
Permission denied, please try again.
root@thesolarisbox.thisdomain.com's password:
I know the password is correct? What else do I need to do to get past this?

Thanks for the reply.

HappyTux 11-04-2003 02:05 PM

Quote:

Originally posted by itsjustme
OK, the known_hosts file only had 2 lines, both for the same box, one by IP and one by domain name.
So, I simply renamed (as opposed to deleted, for now) the known_hosts file and tried again.
This time, along with a new known_hosts file, I get:


I know the password is correct? What else do I need to do to get past this?

Thanks for the reply.

Well since you have strict host checking turned on you most likely have the no ROOT login turned on as well, try logining in as a normal user on the machine (you do have a normal user account on the box right?) then su to get to root which is the recommended way to do things anyway.

itsjustme 11-04-2003 03:10 PM

Actually, I don't have a user id on the machine. I am using root from a machine right next to the solaris box in the network closet. Other people do have accounts, and they aren't going to be able to ssh in until I find out how to resolve this issue. One guy has already reported that he can't ssh in from his windows machine.

Possibly, that strict restriction was set to 'no' before the upgrade and possibly I need to figure out how to turn that off. Or, it was set to be strict and then I have to figure out why I am getting the permission denied now.
Before the upgrade, this worked:
[user1@linux user1]$ ssh thisbox.thisdomain.com -l root

So, how do I get the above line to work again without a permission denied?

Thanks!

itsjustme 11-04-2003 04:29 PM

If I type in the root password 3 times, the third permission denied message looks like this:

Permission denied (publickey,password).

Is this now looking for something more than a password? If it is looking for a publickey entry of some sort to be typed in, then I need to turn that off, apparently, since I didn't get this before.

Right? Wrong?

Thanks..

itsjustme 11-04-2003 08:56 PM

I found the /etc/ssh/sshd_config file and PermitRootLogin was set to no.
After I went into my local $HOME/.ssh/known_hosts and deleted the previous line for thesolarisbox.thisdomain.com, I set PermitRootLogin to yes and was able to log in. I am new to this and appreciate the input. I created myself another userid so I can set that back to no. The new user had no rsa key problems.

Now, I have a user who is trying to login from a Windows machine using ssh via SecureCRT. Something he did freely before the solaris upgrade. I believe he also got the big warning about host identification changing. Apparently he was able to do the windows equivalent of deleting the rsa line from the known_hosts file. (What is that by the way, if you know?) But, he is still unable to login. He still gets some RSA authentication error of some sort. I'll have to double check that tomorrow at the office.
Is there a method, or something, to follow to get ssh going after an upgrade changes things? Especially tasks to do for the current users, either from the ssh server machine or from each client machine, linux, Solaris, and Windows?

Thanks...

joseph 11-04-2003 10:01 PM

this is what i do when when the ssh key changed.
vi known_host2, and deleted the file content, save it and let it an empty.
do the ssh again.

itsjustme 11-04-2003 10:08 PM

Yeah, I did the modification to known_hosts on my linux box, as I stated in my post.

I need to know what a windows user, using SecureCRT, or some other ssh client app, needs to do.

joseph 11-04-2003 10:11 PM

in my case, the windows user didn't do anything in their part, just redo the ssh again with the ssh client such putty and everything going smoothly.
Try it, there is nothing to lose.

itsjustme 11-05-2003 10:27 AM

Quote:

the windows user didn't do anything in their part
Wel, I'm happy for them. ;)

Anybody else have some ideas regarding this ssh issue for me.

Thanks.

itsjustme 11-06-2003 10:12 AM

Ok, the windows user deleted his local profile and and now he is able to ssh back in with a newly created profile.


All times are GMT -5. The time now is 01:48 AM.