Home / server / Questions / 6233
Accepted
setatakahashi
Asked: 2009-05-09 03:34:43 +0800 CST

How to remove strict RSA key checking in SSH and what's the problem here?

  • 772

I have a Linux server that whenever I connect it shows me the message that changed the SSH host key:

$ ssh root@host1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 93:a2:1b:1c:5f:3e:68:47:bf:79:56:52:f0:ec:03:6b. Please contact your system administrator. Add correct host key in /home/emerson/.ssh/known_hosts to get rid of this message. Offending key in /home/emerson/.ssh/known_hosts:377

RSA host key for host1 has changed and you have requested strict checking. Host key verification failed.

It keeps me for a very few seconds logged in and then it closes the connection.

host1:~/.ssh # Read from remote host host1: Connection reset by peer Connection to host1 closed.

Does anyone know what's happening and what I could do to solve this problem?

security ssh rsa man-in-the-middle hostkey

6 Answers

  1. Best Answer

    Please don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

    I suggest you identify why it thinks something has changed, most likely an SSH upgrade altered the encryption keys due to a possible security hole. You can then purge that specific line from your known_hosts file:

    sed -i 377d ~/.ssh/known_hosts

    This deletes line 377 as shown after the colon in the warning:

    /home/emerson/.ssh/known_hosts:377

    Alternatively you can remove the relevant key by doing the following

    ssh-keygen -R 127.0.0.1 (obviously replace with the server's IP)

    Please DO NOT purge the entire file and ensure this is actually the machine you want to be connecting to prior to purging the specific key.

    • 89

  2. I think though some of the answers here address the recommended course of action in the OP's question, it does not fully answer the question.

    The question states "How to remove strict RSA key checking in SSH and what's the problem here?"

    The problem here is, as advised by some others, a change in the host probably due to reinstallation of the server (most common scenario). And the recommended solution is indeed to remove the offending key from the .ssh/authorized_keys file with an inline sed.

    However I didnt see any answers address the specific part of the question "How to remove strict RSA key checking in SSH".

    You can remove StrictHostKey checking in your ssh configuration file, typically stored at ~/.ssh/config.

    An example Host block is provided below:

    Host 101
  HostName yourip|hostname
  User youruserid
  IdentityFile /path/to/keyfile
  Port 22
  StrictHostKeyChecking no

    The specifically added line is the last one StrictHostKeyChecking no which does just what that. Depending on your specific scenario, this may be useful to you, such as running multiple virtualized containers on a dedicated server, on just a few ips, stopping and starting another instance on the same ip.

    • 34

  3. Another way to remove StrictHostKeyChecking, when you only need to do it for a single server: 

    ssh <server> -o StrictHostKeyChecking=no
    • 16

  4. First of all, is this your machine ? Did you knowingly change the host keys ? If not I would be very concerned that something has altered that data.

    Secondly, turn up the ssh debuging,

    ssh -vvv user@host

    and see what that tells you, also try looking in, /var/log/secure and /var/log/messages on the server you are trying to connect to for clues, sshd gives good error messages.

    Thirdly, is this machine connected to the internet ? Should you really be allowing root logins ?

    • 6

  5. You are getting this because something has changed (like new NIC, new IP, change on server software, etc). Security focus has a nice article on SSH host key protection.

    Just remove the key (using SFTP or similar) from the server, by editing the $HOME/.ssh/known_hosts file, and accept the new one upon next connection.

    Your connection might be getting dropped because of the StrictHostKeyChecking setting. See this thread for a similar issue.

    • 3

  6. As the 'host' [broadly defined, it could be everything from a reinstallation / multiboot to an entirely different computer with an IP address you've connected to before, for instance] appears to the ssh client to have changed, it's giving you the error.

    It is unnecessary to switch off strict checking, nor is wholesale deletion of saved keys sensible.

    It is quite possible to have two different keys listed in known_hosts for a particular hostname or IP address; giving you 2 alternatives according to whether you think you may need the 'old' key that is currently stored in known_hosts

    Either delete the particular key it is referring to, at l377 of known_hosts for the OP, or keep both

    The simplest way to keep both, avoiding deletion of keys in known_hosts, is

    1. Edit known_hosts to add # at the start of the 'old' entry referenced in known_hosts [@l377] temporarily
    2. Connect [ssh to the host], agree to the prompt to add the new key 'automatically'
    3. Then re-edit known_hosts to remove the #

    more answers at "Add correct host key in known_hosts" / multiple ssh host keys per hostname?

    • 3