SSH host key seems to be changing unexpectedlySmoothest workflow to handle SSH host verification errors?Google cloud server ssh host key changed unexpectedly?Installing ssh key“Add correct host key in known_hosts” / multiple ssh host keys per hostname?Disable specific OpenSSH host keysssh server: could not load host keySsh host key verificationIgnore or replace host key if it differsSSH: Safe for client to host private RSA key?What significance does the user/host at the end of an SSH public key file hold?ssh-keyscan does not reveal DSA ssh-dss keyRequire SSH key + Google Authenticator for one account, SSH key only for another

What is the maximum that Player 1 can win?

Why do you need to heat the pan before heating the olive oil?

What is that ceiling compartment of a Boeing 737?

Explicit song lyrics checker

I just entered the USA without passport control at Atlanta airport

How can a clan of females defend themselves in the ancient world against wandering bands?

Densest sphere packing

How is the idea of "girlfriend material" naturally expressed in Russian?

Am I legally required to provide a (GPL licensed) source code even after a project is abandoned?

How can I restore a master database from its bak file?

King or Queen-Which piece is which?

What does it cost to buy a tavern?

Draw a symmetric alien head

Is there any way to revive my Sim?

Can I apply for a working holiday visa at age 30 and get the full 12 months?

Are intrusions within a foreign embassy considered an act of war?

How can the US president give an order to a civilian?

Why is Havana covered in 5-digit numbers in Our Man in Havana?

Can a character learn spells from someone else's spellbook and then sell it?

Syntax and semantics of XDV commands (XeTeX)

Story of a Witch Boy

Why things float in space, though there is always gravity of our star is present

Would a 7805 5 V regulator drain a 9 V battery?

Are there examples of rowers who also fought?



SSH host key seems to be changing unexpectedly


Smoothest workflow to handle SSH host verification errors?Google cloud server ssh host key changed unexpectedly?Installing ssh key“Add correct host key in known_hosts” / multiple ssh host keys per hostname?Disable specific OpenSSH host keysssh server: could not load host keySsh host key verificationIgnore or replace host key if it differsSSH: Safe for client to host private RSA key?What significance does the user/host at the end of an SSH public key file hold?ssh-keyscan does not reveal DSA ssh-dss keyRequire SSH key + Google Authenticator for one account, SSH key only for another






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








7















I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:



HostKey /etc/ssh/ssh_host_ecdsa_key


I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."



I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.



It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.



It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.



I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.



Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?



When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.






ubuntu ssh ssh-keys hostkey







share|improve this question
























  • Related: serverfault.com/questions/416779/…

    – Zoredache
    Sep 6 '13 at 23:08











  • It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

    – Ben
    Sep 8 '13 at 2:29

















7















I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:



HostKey /etc/ssh/ssh_host_ecdsa_key


I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."



I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.



It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.



It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.



I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.



Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?



When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.






ubuntu ssh ssh-keys hostkey







share|improve this question
























  • Related: serverfault.com/questions/416779/…

    – Zoredache
    Sep 6 '13 at 23:08











  • It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

    – Ben
    Sep 8 '13 at 2:29













7












7








7


1






I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:



HostKey /etc/ssh/ssh_host_ecdsa_key


I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."



I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.



It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.



It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.



I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.



Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?



When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.






ubuntu ssh ssh-keys hostkey







share|improve this question
















I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:



HostKey /etc/ssh/ssh_host_ecdsa_key


I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."



I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.



It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.



It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.



I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.



Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?



When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.






ubuntu ssh ssh-keys hostkey




ubuntu ssh ssh-keys hostkey






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 7 '17 at 18:36









Zaz

5481415




5481415










asked Sep 6 '13 at 19:14









BenBen

3815




3815












  • Related: serverfault.com/questions/416779/…

    – Zoredache
    Sep 6 '13 at 23:08











  • It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

    – Ben
    Sep 8 '13 at 2:29

















  • Related: serverfault.com/questions/416779/…

    – Zoredache
    Sep 6 '13 at 23:08











  • It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

    – Ben
    Sep 8 '13 at 2:29
















Related: serverfault.com/questions/416779/…

– Zoredache
Sep 6 '13 at 23:08





Related: serverfault.com/questions/416779/…

– Zoredache
Sep 6 '13 at 23:08













It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

– Ben
Sep 8 '13 at 2:29





It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.

– Ben
Sep 8 '13 at 2:29










2 Answers
2






active

oldest

votes


















6














There are three common reasons you would be getting that message.

In rough order of probability they are:



  1. You have changed the host keys yourself, and didn't clear or update them on your client machines.

    This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.


  2. You have changed your SSH configuration to present (or request) a different key type than before.

    e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".

    If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).

    (It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)


  3. SOMEONE IS DOING SOMETHING NASTY

    The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.


If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.



Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.






share|improve this answer























  • Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

    – Ben
    Sep 6 '13 at 22:06












  • And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

    – Ben
    Sep 6 '13 at 22:10












  • Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

    – Ben
    Sep 6 '13 at 22:14







  • 1





    @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

    – voretaq7
    Sep 6 '13 at 22:53






  • 1





    You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

    – Ben
    Sep 10 '13 at 17:50


















0














if possible/for testing/debug:



  • use IPs instead of hostnames (just to make sure)

  • are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?

  • if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.

  • on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames

for example:



192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=





share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f537035%2fssh-host-key-seems-to-be-changing-unexpectedly%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6














    There are three common reasons you would be getting that message.

    In rough order of probability they are:



    1. You have changed the host keys yourself, and didn't clear or update them on your client machines.

      This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.


    2. You have changed your SSH configuration to present (or request) a different key type than before.

      e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".

      If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).

      (It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)


    3. SOMEONE IS DOING SOMETHING NASTY

      The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.


    If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.



    Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.






    share|improve this answer























    • Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

      – Ben
      Sep 6 '13 at 22:06












    • And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

      – Ben
      Sep 6 '13 at 22:10












    • Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

      – Ben
      Sep 6 '13 at 22:14







    • 1





      @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

      – voretaq7
      Sep 6 '13 at 22:53






    • 1





      You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

      – Ben
      Sep 10 '13 at 17:50















    6














    There are three common reasons you would be getting that message.

    In rough order of probability they are:



    1. You have changed the host keys yourself, and didn't clear or update them on your client machines.

      This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.


    2. You have changed your SSH configuration to present (or request) a different key type than before.

      e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".

      If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).

      (It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)


    3. SOMEONE IS DOING SOMETHING NASTY

      The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.


    If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.



    Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.






    share|improve this answer























    • Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

      – Ben
      Sep 6 '13 at 22:06












    • And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

      – Ben
      Sep 6 '13 at 22:10












    • Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

      – Ben
      Sep 6 '13 at 22:14







    • 1





      @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

      – voretaq7
      Sep 6 '13 at 22:53






    • 1





      You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

      – Ben
      Sep 10 '13 at 17:50













    6












    6








    6







    There are three common reasons you would be getting that message.

    In rough order of probability they are:



    1. You have changed the host keys yourself, and didn't clear or update them on your client machines.

      This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.


    2. You have changed your SSH configuration to present (or request) a different key type than before.

      e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".

      If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).

      (It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)


    3. SOMEONE IS DOING SOMETHING NASTY

      The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.


    If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.



    Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.






    share|improve this answer













    There are three common reasons you would be getting that message.

    In rough order of probability they are:



    1. You have changed the host keys yourself, and didn't clear or update them on your client machines.

      This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.


    2. You have changed your SSH configuration to present (or request) a different key type than before.

      e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".

      If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).

      (It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)


    3. SOMEONE IS DOING SOMETHING NASTY

      The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.


    If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.



    Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Sep 6 '13 at 20:55









    voretaq7voretaq7

    74.9k14116200




    74.9k14116200












    • Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

      – Ben
      Sep 6 '13 at 22:06












    • And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

      – Ben
      Sep 6 '13 at 22:10












    • Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

      – Ben
      Sep 6 '13 at 22:14







    • 1





      @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

      – voretaq7
      Sep 6 '13 at 22:53






    • 1





      You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

      – Ben
      Sep 10 '13 at 17:50

















    • Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

      – Ben
      Sep 6 '13 at 22:06












    • And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

      – Ben
      Sep 6 '13 at 22:10












    • Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

      – Ben
      Sep 6 '13 at 22:14







    • 1





      @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

      – voretaq7
      Sep 6 '13 at 22:53






    • 1





      You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

      – Ben
      Sep 10 '13 at 17:50
















    Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

    – Ben
    Sep 6 '13 at 22:06






    Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it

    – Ben
    Sep 6 '13 at 22:06














    And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

    – Ben
    Sep 6 '13 at 22:10






    And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.

    – Ben
    Sep 6 '13 at 22:10














    Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

    – Ben
    Sep 6 '13 at 22:14






    Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?

    – Ben
    Sep 6 '13 at 22:14





    1




    1





    @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

    – voretaq7
    Sep 6 '13 at 22:53





    @Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)

    – voretaq7
    Sep 6 '13 at 22:53




    1




    1





    You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

    – Ben
    Sep 10 '13 at 17:50





    You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.

    – Ben
    Sep 10 '13 at 17:50













    0














    if possible/for testing/debug:



    • use IPs instead of hostnames (just to make sure)

    • are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?

    • if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.

    • on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames

    for example:



    192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
    192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=





    share|improve this answer



























      0














      if possible/for testing/debug:



      • use IPs instead of hostnames (just to make sure)

      • are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?

      • if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.

      • on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames

      for example:



      192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
      192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=





      share|improve this answer

























        0












        0








        0







        if possible/for testing/debug:



        • use IPs instead of hostnames (just to make sure)

        • are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?

        • if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.

        • on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames

        for example:



        192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
        192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=





        share|improve this answer













        if possible/for testing/debug:



        • use IPs instead of hostnames (just to make sure)

        • are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?

        • if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.

        • on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames

        for example:



        192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
        192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jun 2 at 9:38









        canoodlecanoodle

        283




        283



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f537035%2fssh-host-key-seems-to-be-changing-unexpectedly%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

            Image
            centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
            Read more

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            Image
            Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975Asociación de Clubs de Baloncesto1974primeira división1975197621 de decembroJoventuteuropeosLugoEstudiantes MonteverdeC.B. Val
            Read more

            What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

            Image
            When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
            Read more