Weblog entry #15 for k2
See all weblog entries made by k2.
#15
Removing host entry from known_hosts
Posted by k2 on Thu 3 May 2007 at 00:28
My webhost had some network problems two days ago and the data from the web server was mirrored off to another machine. When I try to connect via ssh I get the usual error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
and the usual text under the warning.
I have seen this happen earlier on my own machines (e.g. on a reinstall) and to remedy it I had removed the offending key from the known_hosts file. But I wanted to know what is the correct way to *update* the entry. A quick scan at the ssh man page didn't give me much light except the reasons why it happened. I confess I didn't read the man page 100% ;)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
and the usual text under the warning.
I have seen this happen earlier on my own machines (e.g. on a reinstall) and to remedy it I had removed the offending key from the known_hosts file. But I wanted to know what is the correct way to *update* the entry. A quick scan at the ssh man page didn't give me much light except the reasons why it happened. I confess I didn't read the man page 100% ;)
Comments on this Entry
Reading through some man pages I discovered that ssh-keygen can be used with the -R flag to remove all keys belonging to a hostname.
--
k2
--
k2
[ Parent | Reply to this comment ]
I believe removing the offending fingerprint from known_hosts manually should be the proper way. I normally note down the line number(say, 42) from the error message, and run
$ vi +42 known_hosts
and delete offending key.
--
Anurag
$ vi +42 known_hosts
and delete offending key.
--
Anurag
[ Parent | Reply to this comment ]
Whether this is easy or hard depends on whether HashKnownHosts is enabled. In the past, this was disabled by default so you could simply edit ~/.ssh/known_hosts, find the line for the host that you were connecting to, and delete it. However, at some point the default (in Debian, determined by /etc/something) was changed to enable HashKnownHosts. This makes the known_hosts file unreadable. The argument for doing this is that you may not want the history of machines that you have connected to to be visible to root. But if you have nothing to hide or no-one to hide it from (e.g. a personal machine), I suggest putting a line in ~/.ssh/config saying
HashKnownHosts no
This will ensure that, in future, entries that are added to your known_hosts file are legible.
Phil.
HashKnownHosts no
This will ensure that, in future, entries that are added to your known_hosts file are legible.
Phil.
[ Parent | Reply to this comment ]
Posted by dkg (216.254.xx.xx) on Fri 4 May 2007 at 10:12
[ Send Message | View dkg's Scratchpad | View Weblogs ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
root will always know who you connect to, because the system sees the connections you make. The reason to hash known_hosts is to protect against the spread of a compromise of your user account by some non-root user. If your account is compromised, and known_hosts is not hashed, the malicious agent who compromised your account will have a history of hosts to attempt to crack next. This assumes you have key-based access, and your key was compromised, or that you use some other form of shared authentication, such as a similar password on remote machines.
[ Parent | Reply to this comment ]