2010-10-17 10:22:19 |
Scott Ritchie |
description |
If I have a server at a particular IP, and I have an ssh history with that, ssh will store the key in ~/.known-hosts. If I then replace that server, but use the same IP, the server will have a new fingerprint that will conflict with the one in ~/.known-hosts.
ssh will then, properly, complain about a key mismatch and warn about a possible man in the middle attack. This is good design, however if I'm expecting this error because I knowingly changed the server, it gets difficult to work around it.
This is the current sort of warning ssh spits out:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for wine.budgetdedicated.com has changed,
and the key for the corresponding IP address 12.34.56.78
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ab:cd:ef:de:ad:be:ef:12:34:56:78:90:de:ad:be:ef.
Please contact your system administrator.
Add correct host key in /home/scott/.ssh/known_hosts to get rid of this message.
Offending key in /home/scott/.ssh/known_hosts:15
RSA host key for wine.budgetdedicated.com has changed and you have requested strict checking.
Host key verification failed.
There are actually two warnings here. Regardless, there's no clear path forward -- editing ~/.known-hosts in a text editor (eg nano) isn't useful, because the IP entries are obscured. It's also very easy to miss the fact that the warning is actually telling you a line number ("Offending key in known_hosts:15") -- this should be an explicit message "Offending key in known_hosts on line 15". That would be a simple fix, but it still makes editing larger known_hosts files a pain (especially in nano, which doesn't have obvious line numbers)
This could be even easier if ssh had some sort of switch to handle this situation. A sort of "ssh --I-changed-the-server-key" or "ssh --forget-key" command. Some quick searching shows this to be a common problem, with multiple blog posts describing various ways to fix the situation (eg sed scripts to remove the particular line)
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: ssh (not installed)
ProcVersionSignature: Ubuntu 2.6.35-22.34-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Sun Oct 17 03:04:06 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
ProcEnviron:
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: openssh |
If I have a server at a particular IP, and I have an ssh history with that, ssh will store the key in ~/.known-hosts. If I then replace that server, but use the same IP, the server will have a new fingerprint that will conflict with the one in ~/.known-hosts.
ssh will then, properly, complain about a key mismatch and warn about a possible man in the middle attack. This is good design, however if I'm expecting this error because I knowingly changed the server, it gets difficult to work around it.
This is the current sort of warning ssh spits out:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for foo.server.com has changed,
and the key for the corresponding IP address 12.34.56.78
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ab:cd:ef:de:ad:be:ef:12:34:56:78:90:de:ad:be:ef.
Please contact your system administrator.
Add correct host key in /home/scott/.ssh/known_hosts to get rid of this message.
Offending key in /home/scott/.ssh/known_hosts:15
RSA host key for wine.budgetdedicated.com has changed and you have requested strict checking.
Host key verification failed.
There are actually two warnings here. Regardless, there's no clear path forward -- editing ~/.known-hosts in a text editor (eg nano) isn't useful, because the IP entries are obscured. It's also very easy to miss the fact that the warning is actually telling you a line number ("Offending key in known_hosts:15") -- this should be an explicit message "Offending key in known_hosts on line 15". That would be a simple fix, but it still makes editing larger known_hosts files a pain (especially in nano, which doesn't have obvious line numbers)
This could be even easier if ssh had some sort of switch to handle this situation. A sort of "ssh --I-changed-the-server-key" or "ssh --forget-key" command. Some quick searching shows this to be a common problem, with multiple blog posts describing various ways to fix the situation (eg sed scripts to remove the particular line)
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: ssh (not installed)
ProcVersionSignature: Ubuntu 2.6.35-22.34-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Sun Oct 17 03:04:06 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
ProcEnviron:
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: openssh
|
|