[orbit-user] Quick notes on changes to baseline image - host ssh key has changed
Luis R. Rodriguez
mcgrof at gmail.com
Wed Feb 20 13:14:19 EST 2008
Just FYI baseline.ndz was updated one month ago with a new fresh start
PXE install of debian. As such our node's ssh host public/private key
has changed. You *will* get warnings about this on consoles as the
fingerprint of the public key is stored locally after logging in once
to a node and the last image you most likely used was based on our old
baselines. If you use the new baseline and if you get some errors
regarding host keys all you have to do is edit the .ssh/known_hosts
file on the indicated line to delete the old key fingerprint.
user at console.sb1:~$ ssh root at node1-1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
2d:47:fd:c3:1a:19:69:f7:ca:35:2b:cc:b5:69:07:db.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:5
RSA host key for node1-1 has changed and you have requested strict checking.
Host key verification failed.
user at console.sb1:~$
Just some further fun information on fingerprints:
When logging into a host you will get prompted with something as follows:
user at host:~$ ssh sb6
The authenticity of host 'sb6 (10.50.16.10)' can't be established.
RSA key fingerprint is e3:e1:6c:98:84:28:45:6a:68:b4:21:0c:a7:f1:a7:8f.
Are you sure you want to continue connecting (yes/no)? yes
MD5sum and hex:
root at console.sb6:~# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1024 e3:e1:6c:98:84:28:45:6a:68:b4:21:0c:a7:f1:a7:8f
/etc/ssh/ssh_host_rsa_key.pub
Bubble Babble:
root at console.sb6:~# ssh-keygen -B -l -f /etc/ssh/ssh_host_rsa_key
1024 xegad-lopiv-myvih-gocip-cicir-fymud-ricur-lecol-satot-fitol-doxax
/etc/ssh/ssh_host_rsa_key.pu
This is the fingerprint that is saved in your .ssh/known_hosts file.
OpenSSH implements several ways to print "fingerprints" and it depends
on two things: the digest you want to use to apply the public key and
the printout method. Digest methods are like SHA1 and MD5, printout
methods are like hexdump and something called "Bubble Babble". Bubble
babble is a method of representing a message digest as a string of
"real" words, to make the fingerprint easier to remember. The "words"
are not necessarily real words, but they look more like words than a
string of hex characters [1].
[1] http://en.wikipedia.org/wiki/Bubble_Babble
More information about the orbit-user
mailing list