2013
07.23

this article assumes that you have recently become paranoid accessing a server and are assuming that someone has sent you an erroneous / malicious key for MITM or some other weird purpose.

this article also assumes that you have access to the other box already to do key verification.

so you go to ssh into one of your boxes in your network that you have ssh’d into hundreds of times and all of a sudden you are confronted with an authenticity check like so:

ssh USER@SERVER
The authenticity of host 'SERVER (0.0.0.0)' can't be established.
RSA key fingerprint is ff:ff:ff:ff:ff:ff:de:ad:be:ef:00:00:00:00:00:00.
Are you sure you want to continue connecting (yes/no)?

info changed
this message can occur if the box has been rebuilt / or if you deleted the contents of /home/USER/.ssh/

or

ssh USER@SERVER
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@      WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for SERVER has changed,
and the key for the corresponding IP address 0.0.0.0
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff.
Please contact your system administrator.
Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/USER/.ssh/known_hosts:10
RSA host key for SERVER has changed and you have requested strict checking.
Host key verification failed.

info changed
this message can occur if the box has been rebuilt with the same servername

you know that you ssh to this server repeatedly and never had to worry about this.
so how can you verify that there isnt anything fishy going on ?

on the remote server, lets check the fingerprint of the rsa/dsa keys:

$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 ff:ff:ff:ff:ff:ff:de:ad:be:ef:00:00:00:00:00:00  root@localhost (RSA)

RSA

$ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
1024 ff:ff:ff:ff:ff:ff:de:ad:be:ef:00:00:00:00:00:00  root@localhost (DSA)

DSA

obviously the keys would be different for both rsa / dsa, but i changed them to something other than my servers are showing.

with these two checks, we can now verify that the keys either match or do not, and if they dont, we can get to work figuring out why they dont match.

The following two tabs change content below.

charlie root

VP of keeping it real / HNIC at pissedoffadmins.com
I bring the cold coffee.

Latest posts by charlie root (see all)

No Comment.

Add Your Comment