SSH Issue - REMOTE HOST IDENTIFICATION HAS CHANGED!
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having this issue regarding at one of our servers. Let me give a little insight on it, i was trying to do ssh to one of our linux server and i was presnted with the following error which i am totally aware of and fully undertands it.
Quote:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that the RSA host key has just been changed.The fingerprint for the RSA key sent by the remote host is23:00:21:33:d4:0f:95:f1:eb:34:b2:57:cf:3f:2c:e7.Please contact your system administrator.Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.Offending key in /home/user/.ssh/known_hosts:8RSA host key for example.com has changed and you have requested strict checking.Host key verification failed.
So i tried with the options i thought,
1. First i deleted the entry for this server from my known_hosts file on client and then tried the ssh so that its a new connection. But to my surprise the server is not offering the Public HOst Key to accept but is asking for root password for the server.
2. I also tried by setting the StrictHostKeyChecking option to no but even that also did not work.
So my questions here
a) Why server is not offering the new Public Key and asking me "If you want to continue(yes/no)".
b) Afetr removing the server Public Key from known_hosts file it starts asking for password but if the server Public Key is not removed then it does not ask for password. So if I understand correctly known_hosts file has nothing to with password less authentication.
Any help would be greatly appreciated !!
How does SSH client verifies the Server's identity for the very first time before it has been added to known_hosts file.Sorry to say that it might sound little stupid but it is troubling me alot and i have not been able to find the correct precise answer even after intense googling.
What i mean to ask is that how exactly a client comes to know that to the SSH server it has initiated connection is what it says it is. A Man in the Middle system can impersonate the actual SSH server and present its own public key to the client and then client will add it to its known_hosts list.
I know it might sound bit silly or stupid but i am having hard in figuring out How exactly a SSH cleint verifies the SSH server's identity for the very first time when it initiates the connection before it has already added the entry to its known_hosts file.
I have done quite intense googling but i have not still found a precise satisfactory answer, so if someone can please tell me how exactly the clinet comes to know that it is indeed talking to the server to whom it should.
Last edited by unSpawn; 10-18-2012 at 10:51 AM.
Reason: //merge threads again
it puts the onus on you. By default, you need to manually accept the identity key the server provides. There's clearly no formal basis for knowing a server is legit (compared to trusted root CAs in the HTTPS world) so you have to arbitrarily draw a line yourself by saying you trust them on the first connect.
The message means exactly what it says, and you should treat it seriously. Each ssh host generates a random string which is its calling-card, and it stores this in .ssh/known_hosts. (Not authorized_keys, which is part of RSA-key based authentication.)
Unless there is a damm good reason why the key is changed, there might be a "man in the middle."
It could be innocuous, it could be explainable, it could be innocent. But there's a reason why SSH is screaming at you about this, and you should heed it. A loud bell has gone off. Don't silence it: find out why it is ringing. (That's what it's there for.)
The message means exactly what it says, and you should treat it seriously. Each ssh host generates a random string which is its calling-card, and it stores this in .ssh/known_hosts. (Not authorized_keys, which is part of RSA-key based authentication.)
Unless there is a damm good reason why the key is changed, there might be a "man in the middle."
It could be innocuous, it could be explainable, it could be innocent. But there's a reason why SSH is screaming at you about this, and you should heed it. A loud bell has gone off. Don't silence it: find out why it is ringing. (That's what it's there for.)
I understand that, but all i am asking is that why i am not being offered the new host key by the server. And why server asks for password if i remove the key from known_hosts file and not when the entry is there in known_hosts file.
I think that the designers didn't want to make it that easy.
I presume that you also have an authorized-keys entry which permits password-free login. My understanding is that the keys are tied to the originating host.
Now try to connect to Remote host.. you will be succeeded.
Sorry, neither of those steps will resolve that issue. The issue arises because the IP address/credentials of one of the servers changed, so the entry in "known_hosts" is different. All you need to do is remove it from known_hosts, and the new entry will be added. The steps you are taking won't matter, since you are generating a new key (which you don't need), and restarting networking (which won't matter).
Please don't post advice that's incorrect/misleading, and don't re-open old threads to do it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.