Server id has changed on ubuntu 7.10 so unable to ssh in ...

curtisa · 05-15-2008, 12:25 AM

Hi all,

Server : Ubuntu Server 7.10
Client : Mac OSX

I've found this morning that I'm unable to ssh onto my local home server anymore. I have setup ssh on the server to be almost as tight as I thought possible, so it only accepts public key authentication (passwords off) and I have strict checking enabled.

Specifically the error msg is ...

Code:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.
Please contact your system administrator.
Add correct host key in /Users/<userid>/.ssh/known_hosts to get rid of this message.
Offending key in /Users/<userid>/.ssh/known_hosts:2
RSA host key for <servername> has changed and you have requested strict checking.

What I would like to know is can I see exactly what's changed (ie in what file) and what do I need to do to fix it please? If I have to create a new set of public/private key files then so be it but I guess I'm more interested to know what's changed and how it was changed.

I've checked my 'messages' and 'auth' log files on the server and apart from seeing a few of the usual external breakin attempts (which fail2ban seems to have handled) I don't see anything unusual, suspicious or anything suggesting the id has changed. (I certainly don't see any other successful logins apart from mine).

In terms of what I've done on the server recently, all I can think of is last weekend I added a new virtual machine (ubuntu 8.10) into my vmware server which is running on there. But that was last weekend and I have successfully sshd on to the server since then.

Can anyone offer any tips/advice where else I can look please (and any way to easily fix it)

Tks vm,

win32sux · 05-15-2008, 12:58 AM

Did this start happening after a recent update? If so, this is covered in the security notice. Also keep on eye on this thread, which is currently stickied at the top of this forum.

curtisa · 05-15-2008, 02:17 AM

Hi,

I didn't think there was any upgrade/update which has happened in the last few days (and actually is there a log file of any/all updated I can check - I normally update via the GUI). I'm not actually in front of the server now but I can check this evening.

The one thing which I can remember happening recently was that I managed to remove myself from the adm and admin groups so I couldn't sudo. So I followed ...
http://ubuntuforums.org/archive/index.php/t-150021.html
and managed to re-add myself. But I don't know that could cause this could it ?

Re the thread at the top, I did quickly read it but didn't think it was relevant for this problem but maybe it is. I'll certainly watch it.

Tks vm,
Alex

win32sux · 05-15-2008, 06:06 AM

Quote:

Originally Posted by curtisa

I didn't think there was any upgrade/update which has happened in the last few days (and actually is there a log file of any/all updated I can check - I normally update via the GUI). I'm not actually in front of the server now but I can check this evening.

Well, there's /var/log/apt/term.log, but I think it only logs upgrades done from the command line. I've never used the GUI update manager, but perhaps you have it configured to do automatic updates? If so, I would think you would find a log in /var/log/unattended-upgrades/, but since I haven't done that it's an empty directory on my box.

To check if you have automatic updates enabled in the GUI go to System > Administration > Software Sources > Updates.

Quote:

The one thing which I can remember happening recently was that I managed to remove myself from the adm and admin groups so I couldn't sudo. So I followed ...
http://ubuntuforums.org/archive/index.php/t-150021.html
and managed to re-add myself. But I don't know that could cause this could it ?

I haven't looked at that ubuntuforums.org link but it sounds like a completely unrelated issue to me.

Quote:

Re the thread at the top, I did quickly read it but didn't think it was relevant for this problem but maybe it is. I'll certainly watch it.

It is 100% relevant if you did the update. I quote from point #2 of USN-612-2:

Code:

2. Update OpenSSH known_hosts files
The regeneration of host keys will cause a warning to be displayed
when connecting to the system using SSH until the host key is
updated in the known_hosts file. The warning will look like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)! It is also possible that the RSA host key has just been
changed.

In this case, the host key has simply been changed, and you
should update the relevant known_hosts file as indicated in the
error message.

Also you could simply check if your version is at least 1:4.6p1-5ubuntu0.3.