LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   StrictHostKeyChecking not working (https://www.linuxquestions.org/questions/linux-general-1/stricthostkeychecking-not-working-4175674861/)

salilsurendran 05-08-2020 01:31 PM
StrictHostKeyChecking not working
 
I am trying to ssh to a host via a bastion. I have set StrictHostKeyChecking=no for both ssh as well as the ProxyCommand
Code:
ssh -i ~/mykey.pem-prod hadoop@final.destination.ec2.internal -o "UserKnownHostsFile=/dev/null" -o StrictHostKeyChecking=no -o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -i ~/mykey.pem-prod ec2-user@mybastion.us-east-1.amazonaws.com
Sometimes it works but sometimes I get this message:

Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    SHA256:
    Please contact your system administrator.
    Add correct host key in /Users/myname/.ssh/known_hosts to get rid of this message.
    Offending ECDSA key in /Users/myname/.ssh/known_hosts:7
    Password authentication is disabled to avoid man-in-the-middle attacks.
    Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
    Error: forwarding disabled due to host key check failure
    ssh_exchange_identification: Connection closed by remote host
I was thinking that StrictHostKeyChecking=no should prevent this problem.

ehartman 05-08-2020 02:50 PM
Quote:
Originally Posted by salilsurendran (Post 6120835)
I was thinking that StrictHostKeyChecking=no should prevent this problem.
No, it only works for NEW hosts, not existing ones of which the key has changed:
Quote:
If this flag is set to no, ssh will automatically add new host keys to the user known hosts files.
As a system with a changed host key is already there, it is not a new system to be added, you would have to remove it first from the known_hosts file.


All times are GMT -5. The time now is 09:29 PM.