Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-17-2003, 01:02 AM   #1
LQ Newbie
Registered: Oct 2003
Location: North Hollywood, CA
Posts: 6

Rep: Reputation: 0
Arrow Receiving an MITM warning when ssh'ing

Please bare with me because i am new to all this. I have two machines. Both Mac OS X machines that allow me to access its unix core through terminal app. One machine is my personal home comp and the other is on a network that I ssh to (I have also done some telneting as well). While attempting to ssh to that macine today, I received an error that read "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed." First, how could my RSA key be changed when I personally haven't messed with those settings. Is there other way that it can be changed that
I dont know about. Is there a safer way to access my machine? Should I be alarmed or am I just overreacting?
Old 10-17-2003, 05:00 AM   #2
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30

The key to figuring this one out is understanding what SSH is really telling you.

When you first connect to a remote server, SSH stores the identity of that remote server on the local machine. The next time it connects, it checks the identity against the one it has stored. This assumes that the first time you connect, you know you are connecting to the genuine server. After that, SSH checks for you.

There are three common reasons why SSH might give you the Man in the Middle attack warning.

1. Someone has tricked you into connecting to another computer with a different ssh key and ssh is warning you about it - i.e. there is a real mitm attack.

2. The key has been changed on the remote server.

3. The hostname or IP address has been changed on the remote server.

In the vast majority of cases, either 2 or 3 will be the issue. You could just work on that assumption and log on anyway. Alternatively, if there is someone else who can log on for you (or, even better, who is local to the server), they could always log on and check that when you connect, you are connecting to the right server.

One other thing. This warning from SSH is enhancing your security, so whilst you should be concerned about whether you have been hacked, there is no need to be concerned about SSH itself. After all, if it turns out that it is a MITM attack and you were using telnet, you would never have known about it until it was too late (i.e. until you had handed over your username and password to the attacker) and maybe not even then.


Last edited by iainr; 10-17-2003 at 05:06 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH'ing between two computers through a router kz26 Linux - Networking 6 08-14-2005 11:09 PM
not receiving emails aroop Linux - Networking 1 09-30-2004 05:43 PM
Not receiving mail. latino Linux - Newbie 5 07-19-2004 03:21 PM
ssh'ing to hostname hagbardc Linux - Software 4 06-21-2003 10:20 AM
Receiving faxes Dutch3 Linux - Newbie 1 11-07-2002 10:06 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration