ssh-keygen

ssh-keygen can be used to create ssh keys so that you can ssh into hosts with a passphrase instead of a password, or no password at all. But something that might be overlooked is that you can use it edit your .ssh/known_hosts file.

Here at work, we reinstall machines and when you do that, the RSA fingerprint of that machine changes. When that is changed, you get a nasty message like the following when you try to ssh into it:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

WARNING: POSSIBLE DNS SPOOFING DETECTED!          @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

The RSA host key for firebug has changed,

and the key for the according IP address 10.0.0.2

is unchanged. This could either mean that

DNS SPOOFING is happening or the IP address for the host

and its host key have changed at the same time.

Offending key for IP in /home/ryan/.ssh/known_hosts:9

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

d9:23:da:90:9d:3e:ae:8b:26:08:5e:b7:62:03:67:a0.

Please contact your system administrator.

Add correct host key in /home/ryan/.ssh/known_hosts to get rid of this message.

Offending key in /home/ryan/.ssh/known_hosts:10

RSA host key for firebug has changed and you have requested strict checking.

Host key verification failed.

What I used to do would be to vi my .ssh/known_hosts file, find the offending lines (searching for firebug and the IP) and deleting it from the file. Then the next time I connect I can accept the new key.

Here's where ssh-keygen can save the day, just run the following command and be amazed:

ssh-keygen -R firebug

Boom you are done! I actually have an alias for this:

alias rmhost='ssh-keygen -R '

This entry was posted in software and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *