[CentOS] Centos hold me back from work - sshd ...bull

Thu Apr 28 14:20:27 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, April 28, 2016 8:56 am, mdubendris at gmail.com wrote:
> The problem is not with your installation of CentOS, it is with the
> computer you are connecting from. Read the error log you pasted earlier,
> it
> tells you exactly what the problem is and how to remedy it:
>
>>
>> Add correct host key in /Users/andy/.ssh/known_hosts to get rid of this
>> message.
>> Offending ECDSA key in /Users/andy/.ssh/known_hosts:22
>
>
> Open up the file /Users/andy/.ssh/known_hosts and delete line 22.
>

(sorry if I repeat what someone already said - it is already long thread,
and I'm reading my mail from latest messages to oldest...)

Usually host key (of remote machine) could change for the following reasons:

1. benign reasons: remote machine system was reinstalled and/or ssh server
keys were re-generated, or some machine was retired and different machine
re-used its IP, or for some other reason, like changes in DNS, you are
connecting to _different_ system that has same IP as the one you were
connecting to in the past

In this case it is indeed safe to delete old known keys resembling this
host (there may be more that one), then ssh to it and accept new key

2. Bad reasons: remote machine is hijacked and host keys have changed. Or,
as ssh error message says, it may be "man in the middle" attack. If some
intermediate malicious machine is able to intercept your traffic, it can
make encrypted ssh tunnel between source machine and itself, and between
itself and destination machine, having all traffic in clear text on
itself. The only thing that stops this "man in the middle" is you, as you
are verifying the host key, and "man in the middle" can not use as host
key the key of remote machine (he would need both secret and public key of
the pair for that). This is how ssh is designed to ensure you are talking
to the machine you think you are talking to.

If this is the case, you shouldn't continue, instead right thing to do is
to first make sure that indeed the key of remote machine was changed by
its admin. Calling remote machine's sysadmin would be right thing to do.

I hope, this helps.

Valeri


> On Thu, Apr 28, 2016 at 2:31 AM, Andreas Benzler <andreas at benzlerweb.de>
> wrote:
>
>> Same machine iMac for the last two weeks.
>>
>> Can work on virtual box  Centos 7
>> Usb drive installation Centos 7 works
>>
>> Fresh installation not on this laptop.
>>
>> > Am 28.04.2016 um 11:25 schrieb Earl A Ramirez
>> <earlaramirez at gmail.com>:
>> >
>> > On 28 Apr 2016 11:24, "Andreas Benzler" <andreas at benzlerweb.de> wrote:
>> >>
>> >> sure
>> >>> Am 28.04.2016 um 11:16 schrieb Earl A Ramirez
>> <earlaramirez at gmail.com
>> >:
>> >>>
>> >>> On 28 Apr 2016 11:11, "John R Pierce" <pierce at hogranch.com> wrote:
>> >>>>
>> >>>> On 4/28/2016 2:02 AM, Andreas Benzler wrote:
>> >>>>>
>> >>>>> what is wrong with the default sshd server.
>> >>>>>
>> >>>>> after retry to connect sshd - key changed from known hosts????
>> >>>>
>> >>>>
>> >>>> I've installed centos a LOT of times, versions 5, 6, and 7, and
>> never
>> > had
>> >>> any issues with the built in sshd service, and a variety of clients,
>> >>> including other linux ssh, putty and securecrt on windows, gui
>> SCP/SFTP
>> >>> utilties(they use sshd too), freebsd ssh, solaris ssh, aix ssh.
>> >>>>
>> >>>> the "key changed from known_hosts" error happens if your client had
>> >>> previously connected with  the same "user at hostname" on a previous
>> >>> installation of the server OS with a different ssh_host_key
>> >>>>
>> >>>>
>> >>>> you need to provide a lot more information if you expect a more
>> > specific
>> >>> answer from anyone, like what version of CentOS did you install,
>> what
>> >>> client software you're using to connect to it, any pertinent
>> background
>> >>> information like was this hostname previously used for a different
>> OS
>> >>> install, etc etc.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> john r pierce, recycling bits in santa cruz
>> >>>>
>> >>>> _______________________________________________
>> >>>> CentOS mailing list
>> >>>> CentOS at centos.org
>> >>>> https://lists.centos.org/mailman/listinfo/centos
>> >>>
>> >>> You installed the server with the same IP, you need to remove the
>> entry
>> >>> from the known hosts, which is located in .ssh on the computer you
>> are
>> >>> trying to connect to.
>> >>> _______________________________________________
>> >>> CentOS mailing list
>> >>> CentOS at centos.org
>> >>> https://lists.centos.org/mailman/listinfo/centos
>> >>
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> https://lists.centos.org/mailman/listinfo/centos
>> >
>> > I meant the computer you are trying to connect from.
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++