Re: ssh-ing in inside private network
On Thu 31 Mar 2016 at 14:34:47 (+0200), tomas@tuxteam.de wrote:
> On Thu, Mar 31, 2016 at 01:27:35PM +0100, Lisi Reisz wrote:
> > It is installed and running. I can ssh from Eros, but not into it. If I just
> > try to ssh from Tux-II to Eros, I get the error "Could not connect to host
> > 192.168.0.4.". I'm actually "fish"ing, but same difference.
> >
> > I get a more helpful message form ssh:
> > lisi@Tux-II:~$ ssh peter@192.168.0.4
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> > It is also possible that a host key has just been changed.
> > The fingerprint for the ECDSA key sent by the remote host is
> > d9:2e:38:29:07:f8:8a:6d:4b:dd:28:60:ad:c9:e5:a3.
> > Please contact your system administrator.
> > Add correct host key in /home/lisi/.ssh/known_hosts to get rid of this
> > message.
> > Offending ECDSA key in /home/lisi/.ssh/known_hosts:3
> > ECDSA host key for 192.168.0.4 has changed and you have requested strict
> > checking.
> > Host key verification failed.
> > lisi@Tux-II:~$
>
> Ah, yes. That means that Eros's (that is 192.168.0.4, right?) "ssh host key"
> has changed. Every host gets a "host key" the first time its ssh server is
> set up (usually assigned by random), which it presents to the client as
> an identification [1]. The client itself registers it the first time it sees
> it and yells bloody murder if that ever changes: that's what you are seeing
> above. Someone nasty is impersonating your good old Eros.
>
> If you know Eros has just "changed personality", you just have to delete
> the record your ssh client has on Tux-II of that old host key. The text
> above tells you where: it's in /home/lisi/.ssh/known_hosts, line 3.
>
> The next time you ssh into Eros you'll get a notice that Eros isn't known
> and whether to trust it -- from then on it's as before.
man ssh-keygen is a formidable page, but buried in there are commands
for doing this (as known_hosts is encrypted):
If foo is the remote host:
$ ssh-keygen -l -v -f ~/.ssh/known_hosts -t ecdsa -F foo
will display if foo is present in your file and
$ ssh-keygen -f ~/.ssh/known_hosts -t ecdsa -R foo
will remove it. (Hostname and IP address have to be handled individually.)
Related to this, if you're in the habit of installing systems through
the ssh facility (which makes it easy to screen-capture the process),
I find it useful to have a bash function defined as:
ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null ${2:-installer}@"$1"
This avoids polluting my local host with the ephemeral keys that the
debian-installer just generated on the host being installed to.
Using this command still generates Lisi's message (which you OK),
but the exchanged keys are used, but also thrown away.
> > Previously (under Wheezy) using Fish, I have been getting the first part of
> > the message and asked if I want to accept the new identification. Fish
> > presumably then edited the file. So I need static IPs fast! or a hosts
> > file? I have some learning to do. Static IPs I have no problem over, I just
> > need to do it. It clearly needs to move up my priority list. (New router.
> > reserved MAC numbers not yet set up in teh DHCP section.)
>
> Basically it hasn't much to do with that -- only that your SSH clients (be
> it fish, be it ssh) associate the host name/IP address they see with the
> host keys. Of course, if the IPs keep changing, then they have a moving
> target, and you'll have a difficult life :-)
Having read Brian's post here (thanks), I'm going to try decimating my
hosts file and using foo.local to see how it works out (even though my
router assigns all the IP numbers statically).
Cheers,
David.
Reply to: