SSH host key seems to be changing unexpectedlySmoothest workflow to handle SSH host verification errors?Google cloud server ssh host key changed unexpectedly?Installing ssh key“Add correct host key in known_hosts” / multiple ssh host keys per hostname?Disable specific OpenSSH host keysssh server: could not load host keySsh host key verificationIgnore or replace host key if it differsSSH: Safe for client to host private RSA key?What significance does the user/host at the end of an SSH public key file hold?ssh-keyscan does not reveal DSA ssh-dss keyRequire SSH key + Google Authenticator for one account, SSH key only for another
What is the maximum that Player 1 can win?
Why do you need to heat the pan before heating the olive oil?
What is that ceiling compartment of a Boeing 737?
Explicit song lyrics checker
I just entered the USA without passport control at Atlanta airport
How can a clan of females defend themselves in the ancient world against wandering bands?
Densest sphere packing
How is the idea of "girlfriend material" naturally expressed in Russian?
Am I legally required to provide a (GPL licensed) source code even after a project is abandoned?
How can I restore a master database from its bak file?
King or Queen-Which piece is which?
What does it cost to buy a tavern?
Draw a symmetric alien head
Is there any way to revive my Sim?
Can I apply for a working holiday visa at age 30 and get the full 12 months?
Are intrusions within a foreign embassy considered an act of war?
How can the US president give an order to a civilian?
Why is Havana covered in 5-digit numbers in Our Man in Havana?
Can a character learn spells from someone else's spellbook and then sell it?
Syntax and semantics of XDV commands (XeTeX)
Story of a Witch Boy
Why things float in space, though there is always gravity of our star is present
Would a 7805 5 V regulator drain a 9 V battery?
Are there examples of rowers who also fought?
SSH host key seems to be changing unexpectedly
Smoothest workflow to handle SSH host verification errors?Google cloud server ssh host key changed unexpectedly?Installing ssh key“Add correct host key in known_hosts” / multiple ssh host keys per hostname?Disable specific OpenSSH host keysssh server: could not load host keySsh host key verificationIgnore or replace host key if it differsSSH: Safe for client to host private RSA key?What significance does the user/host at the end of an SSH public key file hold?ssh-keyscan does not reveal DSA ssh-dss keyRequire SSH key + Google Authenticator for one account, SSH key only for another
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:
HostKey /etc/ssh/ssh_host_ecdsa_key
I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."
I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.
It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.
It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.
I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.
Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?
When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.
ubuntu ssh ssh-keys hostkey
edited Feb 7 '17 at 18:36
Zaz
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
add a comment |
I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:
HostKey /etc/ssh/ssh_host_ecdsa_key
I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."
I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.
It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.
It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.
I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.
Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?
When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.
ubuntu ssh ssh-keys hostkey
edited Feb 7 '17 at 18:36
Zaz
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29
add a comment |
I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:
HostKey /etc/ssh/ssh_host_ecdsa_key
I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."
I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.
It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.
It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.
I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.
Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?
When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.
ubuntu ssh ssh-keys hostkey
edited Feb 7 '17 at 18:36
Zaz
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
I rolled out a new /etc/ssh/sshd_config with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:
HostKey /etc/ssh/ssh_host_ecdsa_key
I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as:
"The RSA host key for %hostname% has changed,
and the key for the corresponding IP address %ipaddress%
is unchanged."
I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config and restarted SSH.
It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.
It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.
I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.
Nothing has modified any of the host keys in /etc/ssh/ since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?
When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.
ubuntu ssh ssh-keys hostkey
ubuntu ssh ssh-keys hostkey
edited Feb 7 '17 at 18:36
Zaz
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
edited Feb 7 '17 at 18:36
Zaz
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
edited Feb 7 '17 at 18:36
Zaz
5481415
edited Feb 7 '17 at 18:36
Zaz
5481415
edited Feb 7 '17 at 18:36
Zaz
5481415
5481415
asked Sep 6 '13 at 19:14
BenBen
3815
asked Sep 6 '13 at 19:14
BenBen
3815
asked Sep 6 '13 at 19:14
BenBen
3815
3815
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29
add a comment |
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29
add a comment |
2 Answers
2
active
oldest
votes
There are three common reasons you would be getting that message.
In rough order of probability they are:
You have changed the host keys yourself, and didn't clear or update them on your client machines.
This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.You have changed your SSH configuration to present (or request) a different key type than before.
e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".
If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).
(It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)SOMEONE IS DOING SOMETHING NASTY
The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.
If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.
Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try usingssh-keyscanfrom some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing yourknown_hostsfile between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)
– voretaq7
Sep 6 '13 at 22:53
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
|
show 3 more comments
if possible/for testing/debug:
- use IPs instead of hostnames (just to make sure)
- are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?
- if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.
- on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames
for example:
192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
answered Jun 2 at 9:38
canoodlecanoodle
283
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f537035%2fssh-host-key-seems-to-be-changing-unexpectedly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are three common reasons you would be getting that message.
In rough order of probability they are:
You have changed the host keys yourself, and didn't clear or update them on your client machines.
This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.You have changed your SSH configuration to present (or request) a different key type than before.
e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".
If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).
(It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)SOMEONE IS DOING SOMETHING NASTY
The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.
If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.
Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try usingssh-keyscanfrom some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing yourknown_hostsfile between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)
– voretaq7
Sep 6 '13 at 22:53
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
|
show 3 more comments
There are three common reasons you would be getting that message.
In rough order of probability they are:
You have changed the host keys yourself, and didn't clear or update them on your client machines.
This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.You have changed your SSH configuration to present (or request) a different key type than before.
e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".
If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).
(It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)SOMEONE IS DOING SOMETHING NASTY
The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.
If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.
Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try usingssh-keyscanfrom some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing yourknown_hostsfile between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)
– voretaq7
Sep 6 '13 at 22:53
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
|
show 3 more comments
There are three common reasons you would be getting that message.
In rough order of probability they are:
You have changed the host keys yourself, and didn't clear or update them on your client machines.
This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.You have changed your SSH configuration to present (or request) a different key type than before.
e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".
If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).
(It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)SOMEONE IS DOING SOMETHING NASTY
The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.
If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.
Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
There are three common reasons you would be getting that message.
In rough order of probability they are:
You have changed the host keys yourself, and didn't clear or update them on your client machines.
This is the most common situation. Checksum the key files and be ABSOLUTELY CERTAIN they haven't changed.You have changed your SSH configuration to present (or request) a different key type than before.
e.g. you previously wanted RSA or DSA keys, now you use ECDSA -- that's a "key change".
If this is the case, verify and accept the new keys (or if this isn't what you wanted, undo the change).
(It sounds like you're in situation #2 -- Undo your changes, restart sshd, and verify that things work as expected. If you haven't accepted the new keys anywhere undoing the change should make the error go away.)SOMEONE IS DOING SOMETHING NASTY
The Man-in-the-Middle attack SSH warns you about has reared its ugly head. Someone is actively trying to intercept your communication to steal your private key or do something else you almost certainly don't want them to be doing.
If you've eliminated 1, and you are certain you didn't do 2, it behooves you to assume 3 until you can prove otherwise. That means Don't log in. -- All the SSH security in the world doesn't help when users ignore the big giant warning banner and hand their keys over to attackers.
Investigate the channel between you and your server, check the server's connection logs (from a known good terminal) while you try to log in, etc. -- there are so many ways to execute an attack here that I can't enumerate all the possible countermeasures and detection strategies, but the folks over at IT Security would surely have some ideas.
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
answered Sep 6 '13 at 20:55
voretaq7voretaq7
74.9k14116200
74.9k14116200
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try usingssh-keyscanfrom some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing yourknown_hostsfile between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)
– voretaq7
Sep 6 '13 at 22:53
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
|
show 3 more comments
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try usingssh-keyscanfrom some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing yourknown_hostsfile between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)
– voretaq7
Sep 6 '13 at 22:53
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
Thanks for the quick answer. I believe that I can eliminate #1 and #2 because every time this happens, I eventually remove the old key and add the new key to my known_hosts file during troubleshooting, which sometimes then allows me to log in with pubkey authentication, and other times (usually from my Windows machine) it still gives me trouble. But none-the-less, I eventually get it working from everywhere, and then some period of time goes by and I get another warning like this. It does lead me to think it could be #3, but so far I don't see any evidence of it
– Ben
Sep 6 '13 at 22:06
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
And it also seems strange that this coincided with me changing the sshd config (but then changing it back--even diffing the file with the original shows no changes) and only started giving me trouble after that. I thought maybe I just screwed something up on the machine, but I've re-imaged and re-applied this configuration again (with puppet, but that should have no bearing since puppet isn't making any changes when this issue occurs) and I have the same issue at seemingly random intervals each time.
– Ben
Sep 6 '13 at 22:10
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
Another interesting piece of information (maybe) is that sometimes the error is regarding the server's RSA host key, and other times it's regarding the ECDSA host key. Is it normal that it would be checking both types of keys from the same machine?
– Ben
Sep 6 '13 at 22:14
1
1
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using
ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)– voretaq7
Sep 6 '13 at 22:53
@Ben There are other possible causes I haven't listed - but these are the three that I've actually seen in the real world. If you're certain about the configuration state try using
ssh-keyscan from some of the affected client machines and check the server logs. Also note that if you're doing something funky like sharing your known_hosts file between different versions of the ssh client that could be a possible cause of this strangeness (I've never done such a thing so I can't say for sure...)– voretaq7
Sep 6 '13 at 22:53
1
1
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
You've helped me narrow this down. I some some additional checking and realized that the nameservers at Rackspace were returning two different records for the same hostname. I don't know where one came from, but it seemed that either one or the other IP would be returned first in the list (seemingly at random). I eventually found and eradicated the stray DNS record and haven't received this problem again since then.
– Ben
Sep 10 '13 at 17:50
|
show 3 more comments
if possible/for testing/debug:
- use IPs instead of hostnames (just to make sure)
- are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?
- if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.
- on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames
for example:
192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
answered Jun 2 at 9:38
canoodlecanoodle
283
add a comment |
if possible/for testing/debug:
- use IPs instead of hostnames (just to make sure)
- are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?
- if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.
- on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames
for example:
192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
answered Jun 2 at 9:38
canoodlecanoodle
283
add a comment |
if possible/for testing/debug:
- use IPs instead of hostnames (just to make sure)
- are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?
- if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.
- on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames
for example:
192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
answered Jun 2 at 9:38
canoodlecanoodle
283
if possible/for testing/debug:
- use IPs instead of hostnames (just to make sure)
- are there multiple machines having the same IP (DHCP gave IP that was used by another host with fixed IP) on the net?
- if machines are using DHCP, their IPs can change at random times (order of bootup etc) maybe you are now trying to connect to a different host - enable password auth and see where you land.
- on the client cat /home/username/.ssh/known_hosts look for lines with duplicate keys but different ips/hostnames
for example:
192.168.56.3 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
192.168.56.4 ecdsa-sha2-nistp256 AAAAE2...fPfFAyoGSVAvs=
answered Jun 2 at 9:38
canoodlecanoodle
283
answered Jun 2 at 9:38
canoodlecanoodle
283
answered Jun 2 at 9:38
canoodlecanoodle
283
answered Jun 2 at 9:38
canoodlecanoodle
283
283
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f537035%2fssh-host-key-seems-to-be-changing-unexpectedly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Related: serverfault.com/questions/416779/…
– Zoredache
Sep 6 '13 at 23:08
It is related, but my question is more about why this problem keeps recurring when the server's keys aren't changing, rather than what to do when I get the error.
– Ben
Sep 8 '13 at 2:29