SSH known host management

When you frequently connect to ssh servers with changed RSA keys (reinstall, change ip, …) you will know this annoying message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ea:34:84:3f:f3:1e:74:78:7e:f7:5f:4d:a3:5d:3d:9f.
Please contact your system administrator.
Add correct host key in /home/johan/.ssh/known_hosts to get rid of this message.
Offending key in /home/johan/.ssh/known_hosts:187
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
X11 forwarding is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-with-mic,password).

After this message you have to remove line 187 from your .ssh/known_hosts file and perform the ssh command again.

If you want to get rid of this message and the altering of the known_hosts file you can add following ssh options to the .ssh/config file:

StrictHostKeyChecking no
UserKnownHostsFile /dev/null

This entry was posted on Monday, September 27th, 2010 at 18:03 and is filed under Linux SysAdmin. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Comments

  1. Kristof Provost said:
    September 27th, 2010

    Perhaps it’s also worth pointing out that this is a really bad idea.
    It’s mostly explained in the ssh error message: if someone managed to gain control over any device between you and the machine you’re connecting to he could now be reading all your traffic.

  2. Johan Huysmans said:
    September 28th, 2010

    Kristof, indeed that is true.

    If you know that a man-in-the-middle attack is impossible for the hosts that frequently change RSA keys you can add the 2 lines in the .ssh/config in the specific hosts section.
    For all the other hosts the default behaviour is kept and you will be warned if someone is trying a man-in-the-middle attack.

  3. Pieter Barrezeele said:
    September 29th, 2010

    Or you could just starting to use telnet again :-)

  4. roidelapluie said:
    March 20th, 2011

    What I do in this case is a ” sed -i /192.168.33.78/d ~/.ssh/known_hosts “… It is more secure than completly disabling it. and you don’t lose much time.

Leave a Reply