LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-15-2008, 12:25 AM   #1
curtisa
Member
 
Registered: Oct 2005
Location: Switzerland
Distribution: Ubuntu
Posts: 33

Rep: Reputation: 16
Server id has changed on ubuntu 7.10 so unable to ssh in ...


Hi all,

Server : Ubuntu Server 7.10
Client : Mac OSX

I've found this morning that I'm unable to ssh onto my local home server anymore. I have setup ssh on the server to be almost as tight as I thought possible, so it only accepts public key authentication (passwords off) and I have strict checking enabled.

Specifically the error msg is ...

Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.xx.
Please contact your system administrator.
Add correct host key in /Users/<userid>/.ssh/known_hosts to get rid of this message.
Offending key in /Users/<userid>/.ssh/known_hosts:2
RSA host key for <servername> has changed and you have requested strict checking.

What I would like to know is can I see exactly what's changed (ie in what file) and what do I need to do to fix it please? If I have to create a new set of public/private key files then so be it but I guess I'm more interested to know what's changed and how it was changed.

I've checked my 'messages' and 'auth' log files on the server and apart from seeing a few of the usual external breakin attempts (which fail2ban seems to have handled) I don't see anything unusual, suspicious or anything suggesting the id has changed. (I certainly don't see any other successful logins apart from mine).

In terms of what I've done on the server recently, all I can think of is last weekend I added a new virtual machine (ubuntu 8.10) into my vmware server which is running on there. But that was last weekend and I have successfully sshd on to the server since then.

Can anyone offer any tips/advice where else I can look please (and any way to easily fix it)

Tks vm,
 
Old 05-15-2008, 12:58 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Did this start happening after a recent update? If so, this is covered in the security notice. Also keep on eye on this thread, which is currently stickied at the top of this forum.
 
Old 05-15-2008, 02:17 AM   #3
curtisa
Member
 
Registered: Oct 2005
Location: Switzerland
Distribution: Ubuntu
Posts: 33

Original Poster
Rep: Reputation: 16
Hi,

I didn't think there was any upgrade/update which has happened in the last few days (and actually is there a log file of any/all updated I can check - I normally update via the GUI). I'm not actually in front of the server now but I can check this evening.

The one thing which I can remember happening recently was that I managed to remove myself from the adm and admin groups so I couldn't sudo. So I followed ...
http://ubuntuforums.org/archive/index.php/t-150021.html
and managed to re-add myself. But I don't know that could cause this could it ?

Re the thread at the top, I did quickly read it but didn't think it was relevant for this problem but maybe it is. I'll certainly watch it.

Tks vm,
Alex
 
Old 05-15-2008, 06:06 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by curtisa View Post
I didn't think there was any upgrade/update which has happened in the last few days (and actually is there a log file of any/all updated I can check - I normally update via the GUI). I'm not actually in front of the server now but I can check this evening.
Well, there's /var/log/apt/term.log, but I think it only logs upgrades done from the command line. I've never used the GUI update manager, but perhaps you have it configured to do automatic updates? If so, I would think you would find a log in /var/log/unattended-upgrades/, but since I haven't done that it's an empty directory on my box.

To check if you have automatic updates enabled in the GUI go to System > Administration > Software Sources > Updates.

Quote:
The one thing which I can remember happening recently was that I managed to remove myself from the adm and admin groups so I couldn't sudo. So I followed ...
http://ubuntuforums.org/archive/index.php/t-150021.html
and managed to re-add myself. But I don't know that could cause this could it ?
I haven't looked at that ubuntuforums.org link but it sounds like a completely unrelated issue to me.

Quote:
Re the thread at the top, I did quickly read it but didn't think it was relevant for this problem but maybe it is. I'll certainly watch it.
It is 100% relevant if you did the update. I quote from point #2 of USN-612-2:
Code:
2. Update OpenSSH known_hosts files
The regeneration of host keys will cause a warning to be displayed
when connecting to the system using SSH until the host key is
updated in the known_hosts file. The warning will look like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)! It is also possible that the RSA host key has just been
changed.

In this case, the host key has simply been changed, and you
should update the relevant known_hosts file as indicated in the
error message.
Also you could simply check if your version is at least 1:4.6p1-5ubuntu0.3.

Last edited by win32sux; 05-15-2008 at 06:15 AM. Reason: Fixed package version (had used the one for 8.04 instead of 7.10).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server not hanged but unable to SSH omega7577 Linux - Newbie 3 09-14-2007 01:21 AM
Installed Ubuntu but it changed my boot loader. I want this changed... mdorries Linux - Distributions 8 05-31-2007 08:13 PM
Samba server changed to public IP now unable to browse rmarkin Linux - Networking 2 02-18-2006 09:41 AM
Remote server, unable to SSH anymore Keiser Linux - Newbie 1 05-06-2005 10:13 PM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 05:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration