Re: warning: remote host identification has changed!

comphelp@xxxxxxxxx (Todd H.) writes:

Rupert Eibauer <news@xxxxxxxxxxxxxxxxx> writes:

Hello,

I am getting this message occasionally. How big is the chance that it is
really a man-in-the-middle attack?

Non zero.

The first time I got this error, I have deleted the offending line in
the $HOME/.ssh/known_hosts file, and just retried. The authentication
using the authorized_keys file was also not working, so I entered the
root password.

After the same happened again a few minutes later, I became suspicious
and created a new ssh key and root password.

But now the same happens again: I get the following message, but not
always. It happens to work ~10 times or minutes in a row, and then I get
the error message a few times, without any recognizable pattern, and
from the same shell.

It seems to start working again after I try the same from a different
user on my local machine.

Is www a single box, or a load balanced IP of some sort?

If it's a round robin dns or some other load balanced address, your
ssh client will be confused as it may be getting a different sshd
every it hits the www address.

The antidote in that case is to pick a single static ip to login to
and not ssh to a load balanced address.

The right thing to do when a key changes is to find out why, have the
admin verify the right keys for you by telling you the output of them
running
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
from a trusted console.

I forgot to add here:

"BEFORE you accept the new key and connect to the server"


The key shouldn't legitimately change frequently. If you are the
admin for the box, it shouldn't ever change without your knowledge.
Sometimes updates to ssh cause a new key to be generated, or naturally
when the system is wiped and reinstalled.

Best Regards,
--
Todd H.
http://www.toddh.net/

--
Todd H.
http://www.toddh.net/
.