.ssh/known_hosts:

[samwootton]

Hi,

I am running Apache web server on opensuse.

I often wish to SSH in. I am on a dynamic DNS system.

My external IP address changes on a regular basis. Everytime i try to SSH in, i get:



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
9a:40:57:9a:de:72:6f:8b:d1:e8:57:67:09:22:09:11.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending key in /home/username/.ssh/known_hosts:28
RSA host key for 29.176.21.134 has changed and you have requested strict checking.
Host key verification failed.



How can i specify a wild card or something? So that if my IP address changes, i can still SSH in?

Thanks for any help.

Regards, Sam

[weighty_foe]

Wouldn't it be better to turn strict checking off instead? you'll get the warning but be able to log in anyway.

Don't know about the wildcard idea - it rather defeats the object of known_hosts though...

[samwootton]

Hi,

Thanks for you reply.

Not sure where to turn strict checking off.

Could you point me in the right direction?

Regards, Sam

[ab@novell.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/etc/ssh/ssh_config

Before you do it, though, it's not a good thing to have disabled....

Good luck.





samwootton wrote:
> Hi,
>
> Thanks for you reply.
>
> Not sure where to turn strict checking off.
>
> Could you point me in the right direction?
>
> Regards, Sam
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK5y6VAAoJEF+XTK08PnB5wBcQAI4DfYPD6k nPtwd7ve4rsTxX
L9Djsua0sQL1m3R1dsUlhHDtomFPb/KcdWKl1xKmdavSFuDsHnA74UWxGtBBDknI
zWzhkTCWVeVUsWQ4M/gRe2kD5zPA0kECXfuUbeVKcI6q2Zc3QLZFR8nvyFHKdzza
lza8bCiVXt//9IF5sp6wQO0TPO1sFfeyMDDiO0c4n0qFdYFGDhyUCVSGCngDc6 B+
MVf+N/Z2s4qPiNdWgy8k8ztzlsiU5/uMIw9/vVvUQuUmaCLDxnLy8HlPRXnCLUbR
mWsg7yRIhgwNyO0InSU+p1K49IVEM7TkZC1a5k9YJ0QGdMcHbj WCai5NLqXc73WG
Oxab2K0bEZUH/DgEoe7tREOqNDfzioIz/q7Hh4q33qbyZuahJMmSlvaGTA9EA/oV
rAWhiXYIzQBzdxDrJkQ8K2+SIWH2+8mjHoEcfN8jv4Jws7o4+e YU3ja9lx1lbXlu
lRdTtaC0nttLZOyLmdm0MiFEz0wJLztHRZ5aNuYCX+ym1pSO4f PPEnfT0Gcj2m77
Ih7W5W08AHsVLj6o4Uxg1vxoPIzzBhYMSqyy4aOS0gXHqhINSm ovocBMtNOkPWuO
enxobvmUeBXUz2AG9ITYSHus2bHfKIMrZcQ/9k4DRFvMfoei2XJavVDp2m4tcxd0
HtllsJW8l3gFq95kdBwa
=kstZ
-----END PGP SIGNATURE-----

[samwootton]

Hey,

Many thanks for the help.

So yeah, thats what i was kind of thinking - that it might be unsafe.

So, how do i go about allowing SSH access on a dynamic IP?

I have a website hosted on Apache, on a dynamic IP, so need port 22 access for house keeping.

Thank you.

Regards, Sam

[ab@novell.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use a DNS name if you can... that MAY help (untested by me).

You can also clean out your ~/.ssh/known_hosts file every time the IP
changes which gives you security at a reasonable price. The error message
actually tells you the line to delete if you want to bypass the message:

Offending key in /home/username/.ssh/known_hosts:28

Delete line 28 to fix it.

Good luck.






samwootton wrote:
> Hey,
>
> Many thanks for the help.
>
> So yeah, thats what i was kind of thinking - that it might be unsafe.
>
> So, how do i go about allowing SSH access on a dynamic IP?
>
> I have a website hosted on Apache, on a dynamic IP, so need port 22
> access for house keeping.
>
> Thank you.
>
> Regards, Sam
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK52YcAAoJEF+XTK08PnB5rBUQAJhbJlbqex 6b2fGi5ZEVvdXA
JdhOSErX+9Ej8ZdOomugg/MEU8BpypeYeuu3nzmqeBiHup9wrYIQc7dXbXZK0Ee2
Uad4DKb+zL7H+7xqgpw0gKrXnLNCpYJ0yqM1hqNUBMqVdp/cmuXygtR9mqtgZqFx
yijznkh1oZ/8t81uT4bZjs9xJLgweFQu5JoNsLpDEyIri1PRSvzjfeXtdp68k vwR
zzWlzQHFh4Qjcgn7qdxxDVjaSqdBUycB/IEW0nFE/2Kz7e8ruSmykuwn3sl3QoQa
xJg5ykKgg0ZmqnvafmpuO/IVkXYxgnS2y+nHqavvRfqaDw6vcO4tsPpo/+fo363H
JGjuG4BeENyYgRam3MSVxazjNKZ8CKHQn0uQxIzXKPYLMfsQOh +FHeLW7fBjLZBn
iXaSg1+Ek2iIU78J+ALNtSROpYStF1/W+CtPLx2YBsenxIHzomUrZi2E6Y+dCV7Z
hkazNStj9E88ZWJ04SVa7ULnNexpJmecelPu2+N7N8h3nVNEFI 2D+RJba7EXe350
6N3FpLEzLPpwoCTprP0/RfuyNSEBGJShp/Fm+KipU2l388QqZeIBgUKDHX9vAomF
4Ij5hprZuvzetHYWoFWtBHsc5eOWwYumRV8sAA5AhuDEyqVBRa Lpm/dwQ67JSW7+
IaHQeNBs74DZDKaGkzCh
=rcfA
-----END PGP SIGNATURE-----

[samwootton]

HI,

I only have 3 lines in there. And i am not 100% clear on how using a domain name will get around the issue.

I am using a domain name - and i still get the error, thats the problem.

Getting slightly more confused here ;]

Thanks for your help.

Regards, Sam

[ken_yap]

It looks to me like what is happening is you are contacting someone else's sshd, hence the warning. Had you contacted your own sshd on a different address, you would have got an advisory, not fatal, that you have a new host and fingerprint. So disabling strict checking is not the solution. You simply do not have a login on someone else's sshd and they might think you are trying to hack them.

The problem you really need to solve is how to tie your dynamic address to a domain name known to you. What you want is dynamic DNS. Do a search for what this does and for free providers of this service.

[ab@novell.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The known_hosts file is tied to something used to reach the destination
server. If you use DNS names then even if the IP changes you're still
hitting the same box, in theory.

With that in mind I guess instead of cleaning up known_hosts you could
also hack /etc/hosts whenever your IP changes though that is a bigger
hack, in my opinion, as it requires using 'root'.

Good luck.





samwootton wrote:
> HI,
>
> I only have 3 lines in there. And i am not 100% clear on how using a
> domain name will get around the issue.
>
> I am using a domain name - and i still get the error, thats the
> problem.
>
> Getting slightly more confused here ;]
>
> Thanks for your help.
>
> Regards, Sam
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK54slAAoJEF+XTK08PnB5zIEQALLX8HrO72 hhZadWXabLVPSF
4o8ei/pMrSTswgmxfzRWX+ooEmS3VEcigCr66hBgCJpRBQ3VkK9TuvNq m2y2HZzJ
TBJhYp+ravx/L/sJvbG2wsydS0YG0bRcXzbl7CyUs9H9cvP1L/iLkiX1iE7fjbLO
b9/TyHWtfRtC9f37kZTCJdSU0DePhQubuhuIYgq+mFQ7JzYoepxih LFetSMo6rDp
KPTfu1pK1dl8Y9w1uUKTm+fsVXFu4Ac5SJY/XLvMYNjLwLYq6CCVvJJWM65ivxwX
AVzn0woN9v9PuZvY3Sq9s9iO/+H1riWTeb6sB978OsjVVoTAxzJc8upu0Li+JPOl
bhwPdS/nPhoOeI+AkK1FG2lsZbmfxN2Qo+UWlGxqkekdU5gHGengj0GtO mHGXQo6
/2YWTtyG3fa6tCTTHo9tncPSQdGqlZn6fywjJQEp297I1EJO5ym XSZZ7El5n/DiV
+qxXpEOQSVPuF4/mrKU4UnPgw88SvpE30v1SQ0beOm3XqKVHMnBtFvuZRG1ckfdW
p8x3O+eHCSGonasMaIMuEWqy0/AnVTkZ1o6ITNFSz5e8FCnDBf+bmr8Uqj9t6kk4
fdIcFqiv5DPzpfnLQOFogZWXLOvQEu/UZJe02jkaLqFNGmP5bQVDwGN5DV59vcf8
mBFO4+bsYa97fT6MhJrG
=cZzs
-----END PGP SIGNATURE-----

[samwootton]

Ok - firstly, i really appreciate the time takan by members to help.

I think i didn't explain things properly.

This machine is running a website, i already use a dynamic DNS solution (dyndns.org), i ran this website on a mac os x for years, then moved to opensuse.

I cannot ssh to e.g. mydomain.com from any machine, either the machine that Apache is on, or any machine from outside it.

So:

1) I have a server that is running Apache.
2) It hosts mydomain.com
3) It is on a dynamic IP, that uses a updater from dyndns.org.
4) How can i SSH in from a changing IP? (as i have dynamic IP)?

Thanks for any help and advice.

Regards, Sam