Saturday, November 20, 2010

SSH Host Key Error

When trying to ssh into a server you may get the following error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
5b:9c:15:52:a1:ce:19:80:3b:ad:4b:b2:31:ad:d5:4c.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.

If you have reinstalled Linux with OpenSSH, you will get the above error. To confirm the fingerprint of the server, login to it directly if possible and execute

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

(To confirm fingerprint of other host keys use:

ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_key.pub


To get rid of this problem (if you are certain it it NOT due to an actual security breach):

Remove The Offending Key

Use the -R option to removes all keys belonging to hostname from a known_hosts file. This option is useful to delete hashed hosts. If your remote hostname is server.example.com, enter:

$ ssh-keygen -R {server.name.com}

$ ssh-keygen -R {ssh.server.ip.address}

$ ssh-keygen -R server.example.com


Sample output:
/home/robert/.ssh/known_hosts updated.
Original contents retained as /home/vivek/.ssh/known_hosts.old
Now, you can connect to the host without a problem.

No comments:

Post a Comment