Re: Centos hold me back from work - sshd ...bull

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, April 28, 2016 9:25 am, m.roth@xxxxxxxxx wrote:
> Valeri Galtsev wrote:
>>
>> On Thu, April 28, 2016 8:56 am, mdubendris@xxxxxxxxx wrote:
>>> The problem is not with your installation of CentOS, it is with the
>>> computer you are connecting from. Read the error log you pasted
>>> earlier,
>>> it tells you exactly what the problem is and how to remedy it:
>>>>
>>>> Add correct host key in /Users/andy/.ssh/known_hosts to get rid of
>>>> this
>>>> message. Offending ECDSA key in /Users/andy/.ssh/known_hosts:22
>>>
>>> Open up the file /Users/andy/.ssh/known_hosts and delete line 22.
> <snip>
>> Usually host key (of remote machine) could change for the following
>> reasons:
>>
>> 1. benign reasons: remote machine system was reinstalled and/or ssh
>> server
>> keys were re-generated, or some machine was retired and different
>> machine
>> re-used its IP, or for some other reason, like changes in DNS, you are
>> connecting to _different_ system that has same IP as the one you were
>> connecting to in the past
>>
>> In this case it is indeed safe to delete old known keys resembling this
>> host (there may be more that one), then ssh to it and accept new key
>>
>> 2. Bad reasons: remote machine is hijacked and host keys have changed.
>> Or,
>> as ssh error message says, it may be "man in the middle" attack. If some
>> intermediate malicious machine is able to intercept your traffic, it can
> <snip>
> Just as a side note, here: when we rebuild a machine - say, when we were
> doing CentOS 5 to 6, or when we build a new machine for someone, 6->7, we
> *remove /etc/ssh/ssh_host*, and rsync in the *old* /etc/ssh/ssh_host* from
> backup.
>
> Not doing this does have a tendency to freak out the users....

Yes that is true. We do this too sometimes, but for machines that are too
long on the network when we upgrade the system we do follow "good security
practice" and re-generate the keys. Even though there is no reason to
think that secret key may be compromised.

Valeri

>
>      mark
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux