[CentOS] Centos hold me back from work - sshd ...bull

Thu Apr 28 14:39:15 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, April 28, 2016 9:25 am, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>> On Thu, April 28, 2016 8:56 am, mdubendris at gmail.com wrote:
>>> The problem is not with your installation of CentOS, it is with the
>>> computer you are connecting from. Read the error log you pasted
>>> earlier,
>>> it tells you exactly what the problem is and how to remedy it:
>>>> Add correct host key in /Users/andy/.ssh/known_hosts to get rid of
>>>> this
>>>> message. Offending ECDSA key in /Users/andy/.ssh/known_hosts:22
>>> Open up the file /Users/andy/.ssh/known_hosts and delete line 22.
> <snip>
>> Usually host key (of remote machine) could change for the following
>> reasons:
>> 1. benign reasons: remote machine system was reinstalled and/or ssh
>> server
>> keys were re-generated, or some machine was retired and different
>> machine
>> re-used its IP, or for some other reason, like changes in DNS, you are
>> connecting to _different_ system that has same IP as the one you were
>> connecting to in the past
>> In this case it is indeed safe to delete old known keys resembling this
>> host (there may be more that one), then ssh to it and accept new key
>> 2. Bad reasons: remote machine is hijacked and host keys have changed.
>> Or,
>> as ssh error message says, it may be "man in the middle" attack. If some
>> intermediate malicious machine is able to intercept your traffic, it can
> <snip>
> Just as a side note, here: when we rebuild a machine - say, when we were
> doing CentOS 5 to 6, or when we build a new machine for someone, 6->7, we
> *remove /etc/ssh/ssh_host*, and rsync in the *old* /etc/ssh/ssh_host* from
> backup.
> Not doing this does have a tendency to freak out the users....

Yes that is true. We do this too sometimes, but for machines that are too
long on the network when we upgrade the system we do follow "good security
practice" and re-generate the keys. Even though there is no reason to
think that secret key may be compromised.


>      mark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247