SCP host key checking
During ssh connection with scp the SSH client try to verify the identity of the host to which it is connecting by its SSH host key. This key is created during ssh connection.
Each OS user have a file containing known, trustworthy servers. The first time that a OS user connect via ssh with a remote server
|
johnd@JohnD-Server1:~> ssh jonhnd@JohnD-Server2 The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established. RSA key fingerprint is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59. Are you sure you want to continue connecting (yes/no)? |
At this time if we answer yes, the ssh client continues login and save the host key in the local file but if the remote host key changed we will have a error:
|
johnd@JohnD-Server1:~> ssh jonhnd@JohnD-Server2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59. Please contact your system administrator. Add correct host key in /home/johnd/.ssh/known_hosts to get rid of this message. Offending key in /home/johnd/.ssh/known_hosts:3 RSA host key for 192.168.0.100 has changed and you have requested strict checking. Host key verification failed. |
To solve this error we have 3 method:
1.- Delete the known_host file:
|
johnd@JohnD-Server1:~> rm /home/johnd/.ssh/known_hosts |
2.- Remove the affected host from known_host file. The offending line in the above example is line 3(“Offending key in /home/johnd/.ssh/known_hosts:3”) so we can use the following commando to remove it:
|
johnd@JohnD-Server1:~> sed -i 3d ~/.ssh/known_hosts |
With this method ssh will promt again to confirm the host key fingerprint when login
3.- Use UserKnownHostsFile and StrictHostKeyCheckin ssh parameters to force use an empty known_hosts file
|
johnd@JohnD-Server1:~> ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no jonhnd@JohnD-Server2 Warning: Permanently added ‘192.168.0.100’ (RSA) to the list of known hosts. johnd@192.168.0.100’s password: |
You can set the changes permanent for all users if you edit the /etc/ssh/ssh_config or set the changes for specific user if you modify the ~/.ssh/config file
If we want to bypass key check for a particular subnet for example 192.168.0.0/24 we can modify the ssh config file with this new lines in the top of the file:
|
Host 192.168.0.* StrictHostKeyChecking no UserKnownHostsFile=/dev/null |
Enjoy it
Juan de la Cruz Arellano Royo