LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-27-2016, 09:00 AM   #1
AIM Systems
LQ Newbie
 
Registered: Nov 2008
Posts: 10

Rep: Reputation: 1
Unhappy SSH remote host key verification fails using different gateways


I'm not sure if this is a Networking, security or general question, but here goes:
I have a MiniPC designed to a) move around b) perform a backup.
Our company has 2 internet services; the fast fibre and the DSL.
I have the backup working through our fibre line where it connects an ssh tunnel to the external address of a remote server and executes the rsync.
when I changes my gateway to use the DSL line, the ssh tunnel chokes saying that the remote host key has changed. I've currently hard-coded the external IP address of the server.

Is the remote host key of ssh created with a hash of the gateway?!

This will be an issue for us as the Backup MiniPC is passed off amongst our team so we can connect it to our home networks so no one tech is responsible for the backup forever.

I can supply the content of any file upon request.

AIMie
 
Old 05-27-2016, 11:29 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
Without seeing your exact flow I can't be sure but this sounds like it may be an issue with the $HOME/.ssh/known_hosts file of one of the users involved.

Posting the exact error might help.

On a simple ssh from a user on one host to a user on another hosts it will typically say that connection is unknown and ask if you want to allow it. When you say yes it adds information about the remote host and user to the originating user's known_hosts file.

Often this includes the IP of the remote host. If your remote host's IP is being NATted based on which it is coming from (the Fast fiber provider or the DSL provider) your known_hosts file on originating system may be storing the NATted IP. If so the solution would be to:
1) Save the current known_hosts file to a copy (e.g. cp -p known_hosts known_hosts.20160527)
2) Edit the known_hosts file to delete the existing entry for the remote host.
3) Do the connection from your alternate (e.g. if Fiber was working do it from DSL, if DSL was working do it from Fiber). Say yes when prompted to add the key.
4) Edit the revised known_hosts file and add the key from your copied known_hosts.20160527 to it so both keys are there (one for DSL and one for Fiber).

If what I suspect is happening it is the destination not the source that matters so it will work from everyone's home setup.
 
Old 05-27-2016, 11:48 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,302
Blog Entries: 3

Rep: Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720Reputation: 3720
I agree it might help with a little more clear picture of how things are set up. You can clear the offending line from known_hosts using 'ssh-keygen'

Code:
ssh-keygen -R server.example.org
That will remove the offending key fingerprint and append it to known_hosts.old

But if the same IP number or hostname is switching back and forth between two different gateway machines that's not a permanent solution. One option would be to have both gateways carry the same host keys from /etc/ssh/ssh_host_*_key, but making the change can be disruptive if people are used to logging into them separately on the internal network.

Another option might be to fiddle with ~/.ssh/config on your Backup MiniPC. You could make two aliases, one for each route, and then set your back up script to try the second alias if the first one fails with an if;then;else; in your shell script. Maybe in that setup the configuration option "HostKeyAlias" can be used to force a specific key for that specific route.
 
  


Reply

Tags
gateway, host, key, remote, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Use the same SSH key on a remote host with various ghosted installations ? kikinovak Slackware 3 11-11-2012 11:24 AM
[SOLVED] Can not ssh into Slack 13.37, 'Host key verification failed'. camorri Slackware 13 07-15-2011 01:37 PM
using SSH in PHP invokes 'Host Key Verification Failed' error chuafengru Programming 3 10-01-2010 01:26 PM
Ssh problem: Host key verification failed redfeet Linux - Server 3 02-11-2010 11:39 AM
to 2.6.10 from 2.4.26 | ssh client | Host key verification failed kaN5300 Slackware 6 01-05-2005 10:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration