Skip to Content
Author's profile photo Juan de la Cruz Arellano Royo
Juan de la Cruz Arellano Royo
July 6, 2016 1 minute read

SCP host key checking

During ssh connection with scp the SSH client try to verify the identity of the host to which it is connecting by its SSH host key. This key is created during ssh connection.

Each OS user have a file containing known, trustworthy servers. The first time that a OS user connect via ssh with a remote server

johnd@JohnD-Server1:~> ssh jonhnd@JohnD-Server2

The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established.

RSA key fingerprint is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59.

Are you sure you want to continue connecting (yes/no)?

At this time if we answer yes, the ssh client continues login and save the host key in the local file but if the remote host key changed we will have a error:

johnd@JohnD-Server1:~> ssh jonhnd@JohnD-Server2

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59.

Please contact your system administrator.

Add correct host key in /home/johnd/.ssh/known_hosts to get rid of this message.

Offending key in /home/johnd/.ssh/known_hosts:3

RSA host key for 192.168.0.100 has changed and you have requested strict checking.

Host key verification failed.

To solve this error we have 3 method:

1.- Delete the known_host file:

johnd@JohnD-Server1:~> rm /home/johnd/.ssh/known_hosts

2.- Remove the affected host from known_host file. The offending line in the above example is line 3(“Offending key in /home/johnd/.ssh/known_hosts:3”) so we can use the following commando to remove it:

johnd@JohnD-Server1:~> sed -i 3d ~/.ssh/known_hosts

With this method ssh will promt again to confirm the host key fingerprint when login

3.- Use UserKnownHostsFile and StrictHostKeyCheckin ssh parameters to force use an empty known_hosts file

johnd@JohnD-Server1:~> ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no jonhnd@JohnD-Server2

Warning: Permanently added ‘192.168.0.100’ (RSA) to the list of known hosts.

johnd@192.168.0.100’s password:

You can set the changes permanent for all users if you edit the /etc/ssh/ssh_config or set the changes for specific user if you modify the ~/.ssh/config file

If we want to bypass key check for a particular subnet for example 192.168.0.0/24 we can modify the ssh config file with this new lines in the top of the file:

Host 192.168.0.*

   StrictHostKeyChecking no

   UserKnownHostsFile=/dev/null

Enjoy it

Juan de la Cruz Arellano Royo

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.