As we discussed earlier in our basic ssh client commands article, when you do ssh to a machine for the 1st time (or whenever there is a key change in the remote machine), you will be prompted to say ‘yes’ for authenticity of host.
This feature is controlled using StrictHostKeyChecking ssh parameter. By default StrictHostKeyChecking is set to yes.
The default setting of “StrictHostKeyChecking yes” is the best option from security point of view to protect your system against any trojan horse attacks. If you don’t know what you are doing, you should not set StrictHostKeyChecking to no.
Sometimes it might be good to disable it temporarily. For example, 1st time when you are connecting to lot of known hosts, you might want to set disable this feature (i.e asking yes for host keys) and let ssh add automatically all the host keys. Later you can enable this feature.
When you have configured automated passwordless login for a server and if the remote host key keeps changing for a reason (that you know why it is changing), you might want to consider setting StrictHostKeyChecking to no until the problem of remote host key keep changing is fixed.
From the ssh command line, you can pass StrictHostKeyChecking option as shown below. You can also set this option in your ssh_config file
# ssh -o 'StrictHostKeyChecking no' user@host
If you are logging in to the server for the 1st time, it would permanently add the RSA to the list of known hosts without prompting you.
But, if there is a key change (normally if the OS (or sshd) is reinstalled, the remote host key will change), then you have to delete old invalid key as shown below.
Remove the offending ssh key
Following error will be displayed when the remote host key changes (after you’ve connected earlier with a valid remote host key).
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is a7:a8:f2:97:94:33:58:b7:9d:bc:e0:a6:6b:f7:0a:29. Please contact your system administrator. Add correct host key in /home/ramesh/.ssh/known_hosts to get rid of this message. Offending key in /home/ramesh/.ssh/known_hosts: 6 Permission denied (publickey,password).
You have to remove the key to proceed further. Use the following command to remove the offending key.,
# sed -i '6d' ~/.ssh/known_hosts
Note: Change the 6d according to the line number shown.
If your sed does not have -i option, use perl or use some editor to remove the offending key.
Perl solution:
# perl -pi -e 's/\Q$_// if ($. == 6);' ~/.ssh/known_hosts
Note: Change the line number from 6 to appropriate line number.
If you enjoyed this article, you might also like..
|
|
|
|
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
{ 7 comments… read them below or add one }
how can we do same in vi.. i.e. without opening the vi editor how can we delete this line number??
A less cryptic Perl-Solution:
perl -ni -e ‘print if ($. != 6);’ ~/.ssh/known_hosts
You should update your post to include the official OpenSSH way to do it.
ssh-keygen -R hostname
# More straight forward
# Remove offending key
ssh-keygen -R hostname
# Add it back
ssh -o ‘StrictHostKeyChecking no’ user@host
Thanks…. this was a good tip for me…..
The below option also does the same tricks, with much less hazels
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
I faced the same issue in two different (Unix)flavors. The first time i used the “Sed” with -i syntax. It works out.
Second time in Sun OS it was not worked and i tried the “perl” syntax… awesome..!!
Good result … Thanks Geeks for your stuffs!!!