Re: I need guidance about how to configure a newly installed Jessie
Quoting Paul E Condon (pecondon@mesanetworks.net):
> I have four desktop machines running Jessie. I try to keep them a;;
> upgraded on whenever new package versions are released. I thought it
> would be fast and simple. I was very wrong. This install behaves very
> differently in the following way: When I attempt to ssh into one of
> the computers that was not re-installed, I get a complaint that:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> The RSA host key for gq has changed,
> and the key for the corresponding IP address 192.168.1.12
> is unknown. This could either mean that
> DNS SPOOFING is happening or the IP address for the host
> and its host key have changed at the same time.
This I do not receive, perhaps because my router knows my MAC and
gives me my static IP number.
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 51:cf:52:87:6f:13:43:50:73:29:2c:b4:34:11:cd:5c.
> Please contact your system administrator.
> Add correct host key in /home/pec/.ssh/known_hosts to get rid of this message.
> Offending RSA key in /etc/ssh/ssh_known_hosts:3
> remove with: ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R gq
> RSA host key for gq has changed and you have requested strict checking.
> Host key verification failed.
This one is very familiar, and is something I wanted to avoid when
installing via ssh and network-console.
You're presumably running ssh as pec. What I'm not sure about is why
you're using /etc/ssh/ssh_known_hosts rather than
/home/pec/.ssh/known_hosts , because you need root to maintain the
former.
> I get this same complaint even after I remove the known_hosts file
> entirely. How can the software retain the information that the offending
> line is the third line? It must be doing more than the documentation
> that I have says its doing,
There are potentially two files. "the known_hosts file" implies you've
deleted one of them.
> This is a home lan. I use a hosts file to
> inform the several computers of the IP addresses of all the computers in
> the LAN. The file is identical on all computers and hasn't changed sine
> etch.
Same here. The router doesn't have a resolver, so I type hostnames and
hosts gives me the static IP numbers.
> In the past, I was given the option of typing the login password of the
> computer that I want to log into, but not now.
I'm not sure why you call it an "option". The default is to require
typing a password (of the user, not the computer), and we avoid that
by giving the remote host a "question" (our public key, placed it its
authorized_keys file) to which only we know the "answer" (our private
key, in our id_rsa file).
> I don't understand what I should do with the RSA 'fingerprint' doesn't
> look at all like a legitimate line in a known_host file. How is it used?
On the odd occasion that I keep the newly-installed host keys (usually
when I notice a new type of key in /etc/ssh/) I type, for example,
$ ssh-keygen -l -v -f /etc/ssh/ssh_host_ecdsa_key.pub > .../ssh-fingerprint
where ... is the place you keep your configuration records.
That's the remote hosts's fingerprint you check when you get the
warning. (I don't know how to get a host to send the randomart.)
> Where is the source of this occult knowledge?
man ssh-keygen is your friend.
> Why does the author of the WARNING presume that there is a different
> person, other than the person reading the message who is the actual
> 'your system administration'? Has someone in NSA or CIA been assigned
> to monitor me, and this message breaches global security because I
> should not be allowed to know that I am being watch?
Because if you were logging in to your unix account at work, say,
you'd pick up the phone and ask the operators what in h*ll's name are
they up to! In other words, ssh assumes the remote host really is
remote. You (local) get the warning, but the host that might have been
compromised (if it's not man-in-the-middle) is the remote one.
Cheers,
David.
Reply to: