LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Receiving an MITM warning when ssh'ing (https://www.linuxquestions.org/questions/linux-security-4/receiving-an-mitm-warning-when-sshing-104993/)

gonzalezjay 10-17-2003 01:02 AM
Receiving an MITM warning when ssh'ing
 
Please bare with me because i am new to all this. I have two machines. Both Mac OS X machines that allow me to access its unix core through terminal app. One machine is my personal home comp and the other is on a network that I ssh to (I have also done some telneting as well). While attempting to ssh to that macine today, I received an error that read "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed." First, how could my RSA key be changed when I personally haven't messed with those settings. Is there other way that it can be changed that
I dont know about. Is there a safer way to access my machine? Should I be alarmed or am I just overreacting? :confused:

iainr 10-17-2003 05:00 AM
Hi,

The key to figuring this one out is understanding what SSH is really telling you.

When you first connect to a remote server, SSH stores the identity of that remote server on the local machine. The next time it connects, it checks the identity against the one it has stored. This assumes that the first time you connect, you know you are connecting to the genuine server. After that, SSH checks for you.

There are three common reasons why SSH might give you the Man in the Middle attack warning.

1. Someone has tricked you into connecting to another computer with a different ssh key and ssh is warning you about it - i.e. there is a real mitm attack.

2. The key has been changed on the remote server.

3. The hostname or IP address has been changed on the remote server.

In the vast majority of cases, either 2 or 3 will be the issue. You could just work on that assumption and log on anyway. Alternatively, if there is someone else who can log on for you (or, even better, who is local to the server), they could always log on and check that when you connect, you are connecting to the right server.

One other thing. This warning from SSH is enhancing your security, so whilst you should be concerned about whether you have been hacked, there is no need to be concerned about SSH itself. After all, if it turns out that it is a MITM attack and you were using telnet, you would never have known about it until it was too late (i.e. until you had handed over your username and password to the attacker) and maybe not even then.

Iain.


All times are GMT -5. The time now is 03:21 PM.