07-08-2019
Just came across this. One thing to be aware of is that all clients will object when you next try to connect them. They will alert on there being a possible man-in-the-middle attack or a DNS attack that is trying to send you to a different host (as determined by the keys) so you would need to get each client to forget the server keys for the machine(s) you are replacing the keys on and re-validate them all, or manually replace the old key with the new on all the clients.
You need to consider all the names that the clients could refer to the server as, be that IP, local hosts, DNS short name, fully qualified DNS name, DNS alias etc. and look for those in ~/.ssh/known_hosts
You will need to do this for every account on every client, so it is not a thing to be done lightly, especially if there are multiple automated jobs that connect with SSH, SCP, SFTP etc. that you need to ensure are not disrupted.
Sorry if I've made you panic, but better that than a massive failure.
I hope that this helps,
Robin
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi, I was wondering how to change the prompt for my ssh login. At the moment it is like
user>
while I'd like it to be as
user@host>
It is in the .bash_profile or .ssh ??? Thanks (2 Replies)
Discussion started by: pmasterkim
2 Replies
2. UNIX for Advanced & Expert Users
Guys
How do i add RSA key for a host ?
I was able to connect to a host some time back but now its not connectable ,via SSH.
Message i get is :
abhi@myHost:~/.ssh> ssh eatcid@yourHost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION... (3 Replies)
Discussion started by: ak835
3 Replies
3. Shell Programming and Scripting
Hi,
I want to use ssh to add a register key on remote ssh server. Since there are space characters in my register key string, it always failed. If there is no space characters in the string, it worked fine. The following is what I have tried. It seems that "ssh" command doesn't care about double... (9 Replies)
Discussion started by: leaftree
9 Replies
4. UNIX for Advanced & Expert Users
I do a ssh to remote host(A1) from local host(L1). I then ssh to another remote(A2) from A1.
When I do a who -m from A2, I see the "connected from" as "A1".
=> who -m
userid pts/2 2010-03-27 08:47 (A1)
I want to identify who is the local host who initiated the connection to... (3 Replies)
Discussion started by: gomes1333
3 Replies
5. Shell Programming and Scripting
Hi,
I am running a script to scp a file from one server to another.
I have created the public/private key and copied the public key to the other server and appended it to authorized_key file.
But i am getting the error message saying "Host Key verification failed" Connection lost.
It works well... (3 Replies)
Discussion started by: ahamed
3 Replies
6. UNIX for Dummies Questions & Answers
Hi,
I am encountering below mentioned exception when I execute my Java program that is supposed to SFTP the file from one server over to another.
Can you please tell me some pointers to resolve this issue?
Exception
HostName- 10.1.1.1 ; userName- bmsftp
log4j:WARN No appenders could be... (0 Replies)
Discussion started by: prashant.ladha
0 Replies
7. Solaris
Hi, I've used the following way to set ssh public key authentication and it is working fine on Solaris 10, RedHat Linux and SuSE Linux servers without any problem. But I got error 'Server refused our key' on Solaris 8 system. Solaris 8 uses SSH2 too. Why? Please help. Thanks.
... (1 Reply)
Discussion started by: aixlover
1 Replies
8. Solaris
It seems I can do ssh <IP> but not ssh <hostname>
If I try to ssh to hostname I get the error - No DSA host key is known for host1 and you have requested strict checking.
Host key verification failed.
Where do I set up the DSA keys? Is it ssh_known_hosts?
Assume afterwards I can... (3 Replies)
Discussion started by: psychocandy
3 Replies
9. UNIX for Beginners Questions & Answers
HI
i am getting host key verification failed error.
# cat id_rsa.pub | ssh root@10.110.51.245 'cat >> .ssh/authorized_keys;exit;'
cat: id_rsa.pub: No such file or directory
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! ... (3 Replies)
Discussion started by: scriptor
3 Replies
10. Forum Support Area for Unregistered Users & Account Problems
I was unable to login and so used the "Forgotten Password' process. I was sent a NEWLY-PROVIDED password and a link through which my password could be changed. The NEWLY-PROVIDED password allowed me to login.
Following the provided link I attempted to update my password to one of my own... (1 Reply)
Discussion started by: Rich Marton
1 Replies
SSHFP(1) Internet / DNS SSHFP(1)
NAME
sshfp - Generate SSHFP DNS records from knownhosts files or ssh-keyscan
SYNTAX
sshfp [-k <knownhosts_file>] [-d] [-a] | [<host1> [host2 ...]] sshfp -s [-p <port>] [-d] <-a> [-n <nameserver>] <domain1> [domain2] |
<host1> [host2 ...] >
DESCRIPTION
sshfp generates RFC4255 SSHFP DNS records based on the public keys stored in a known_hosts file, which implies the user has previously
trusted this key, or public keys can be obtained by using ssh-keyscan (1). Using ssh-keyscan (1) implies a secure path to connect to the
hosts being scanned. It also implies a trust in the DNS to obtain the IP address of the hostname to be scanned. If the nameserver of the
domain allows zone tranfers (AXFR), an entire domain can be processed for all its A records.
OPTIONS
-s / --scan <hostname1> [hostname2 ...]
Scan hosts or domain for public SSH keys using ssh-keyscan
-k / --knownhosts <knownhosts_file> <hostname1> [hostname2 ...]
Obtain public SSH keys from a known_hosts file. Defaults to using ~/.ssh/known_hosts
-a / --all
Scan all hosts in the known_hosts file when used with -k. When used with -s, it will attempt an zone transfer (AXFR) to obtain all A
records in the domain specified.
-d / --trailing-dot
Add a trailing dot to the hostname in the SSHFP records. It is not possible to determine whether a known_hosts or dns query is for a
FQDN (eg www.xelerance.com) or not (eg www) or not (unless -d domainname -a is used, in which case a trailing dot is always appended).
Non-FQDN get their domainname appended through /etc/resolv.conf These non-FQDN will happen when using a non-FQDN (eg sshfp -k www) or
known_hosts entries obtained by running ssh www.sub where .domain.com is implied. When -d is used, all hostnames not ending with a dot,
that at least contain two parts in their hostname (eg www.sub but not www get a trailing dot. Note that the output of sshfp can also
just be manually editted for trailing dots.
-o / --output <filename>
Write to filename instead of stdout
-p / --port <portnumber>
Use portnumber for scanning. Note that portnumbers do NOT appear in SSHFP records.
-h / --help
Output help information and exit.
-v / --version
Output version information and exit.
-q / --quiet
Output less miscellany to stderr
FILES
~/.ssh/known_hosts
REQUIREMENTS
sshfp requires python-dns (http://www.pythondns.org)
Fedora: yum install python-dns
Debian: apt-get install python-dnspython
BUGS
if a domain contains non-working glue A records, then ssh-keyscan aborts instead of skipping the single broken entry.
This program can look up hashed hostnames in a known_hosts file if a recent-enough ssh-keygen is present
EXAMPLES
typical usage:
sshfp (implies -k -a)
sshfp -a -d (implies -k)
sshfp -k bofh.xelerance.com (from known_hosts)
sshfp -s bofh.xelerance.com (from a scan to the host)
sshfp -k ~paul/.ssh/known_hosts bofh.xelerance.com www.openswan.org -o /tmp/mysshfp.txt
sshfp -a -d -d xelerance.com -n ns0.xelerance.net >> /var/named/primary/xelerance.com
SEE ALSO
ssh-keyscan(1) ssh(1) and RFC-4255
http://www.xelerance.com/software/sshfp/
http://lists.xelerance.com/mailman/listinfo/sshfp/
AUTHORS
Paul Wouters <paul@xelerance.com>, Jacob Appelbaum <jacob@appelbaum.net>, James Brown <jbrown@yelp.com>
COPYRIGHT
Copyright 2006-2010 Xelerance Corporation
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See
<http://www.fsf.org/copyleft/gpl.txt>.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (file COPYING in the distribution) for more
details.
Paul Wouters April 12, 2011 SSHFP(1)