Re: SSH mysteriously stops working

Phillip Helbig---undress to reply wrote:

In article <d949a$4dd4b9cb$82a13c9d$20341@xxxxxxxxxxxxxxxx>, JOUKJ
<joukj@xxxxxxxxxxxxxxxxxxxx> writes:

Did you also try with a "just-created" account which was not used for
ssh at all before the test?

Not yet. Maybe I'll have to. Here is the message I get when trying to
get in from outside. (Contrary to what I mentioned before, OUTGOING
access seems OK.)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The DSA host key for multivax.de has changed,
[snip] ...
Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this
message.
Offending key in /home/foobar/.ssh/known_hosts:1
DSA host key for multivax.de has changed and you have requested strict
checking.
Host key verification failed.

Note that a) I have an IP address which changes usually once a day and
b) whatever node has the cluster IP address will respond to the incoming
request. Both the IP address and also the node with the cluster alias
have changed in the past. SSH probably wasn't meant for this sort of
setup. Could the problem be that the IP address and the cluster-alias
node changed at the same time?


I think that's the usual consequence of a key change. Just follow the advice
to delete the offending key, then the new one will be stored at the next
login, I never had a problem afterwards.

And the problem of cluster alias and changing IP address: that should be no
problem, the host keys are stored with the host's domain name (if
available).
But of course all nodes participating in a cluster alias should have the
same hostkey. Well, different systems/ssh versions seem to behave different:
on my desktop Linux I see mostly IP addresses, but a few domain names. On
VMS (TCPIP 5.4) is see mostly domain names.
So having a common hostkey in a cluster is probably the safe way.

--

Remove NOREPLY. from Email address.
Joseph Huber, http://www.huber-joseph.de
.

Relevant Pages

  • Re: SSH mysteriously stops working
    ... ssh at all before the test? ... and its host key have changed at the same time. ... Both the IP address and also the node with the cluster alias ... Note that also the information in the linux system should be adapted, because you still have the "old" information in the /home/footbar/.ssh/knownhosts file. ...
    (comp.os.vms)
  • [NEWS] SSH Protocol Weakness Vulnerability (MITM)
    ... A weakness in the backward compatibility of the SSH Protocol has been ... SSH version 1.0) is unlikely to have the host key for the other protocol ... The SSH daemons advertise one of two major versions, ...
    (Securiteam)
  • Re: Q: paramiko/SSH/ how to get a remote host_key
    ... SSH client, if you connect for the first time then you get somethign ... ''' The server's host key is not cached in the registry. ... host_key the first time it connects to a remote SSH server. ...
    (comp.lang.python)
  • incorrect "host key changed" for multi-sshd localhost
    ... I have several machines at my College that set up reverse ssh tunnels ... On idallen.com, the first time I connect to one of these localhost ports, ... ssh complains that the host key for "localhost" has changed and refuses ...
    (comp.security.ssh)
  • incorrect "host key changed" for multi-sshd localhost
    ... I have several machines at my College that set up reverse ssh tunnels ... On idallen.com, the first time I connect to one of these localhost ports, ... ssh complains that the host key for "localhost" has changed and refuses ...
    (comp.security.ssh)