Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: .ssh/known_hosts:

  1. #1

    Default .ssh/known_hosts:

    Hi,

    I am running Apache web server on opensuse.

    I often wish to SSH in. I am on a dynamic DNS system.

    My external IP address changes on a regular basis. Everytime i try to SSH in, i get:



    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    9a:40:57:9a:de:72:6f:8b:d1:e8:57:67:09:22:09:11.
    Please contact your system administrator.
    Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
    Offending key in /home/username/.ssh/known_hosts:28
    RSA host key for 29.176.21.134 has changed and you have requested strict checking.
    Host key verification failed.



    How can i specify a wild card or something? So that if my IP address changes, i can still SSH in?

    Thanks for any help.

    Regards, Sam

  2. #2
    Join Date
    Sep 2008
    Location
    Earl Shilton UK
    Posts
    298

    Default Re: .ssh/known_hosts:

    Wouldn't it be better to turn strict checking off instead? you'll get the warning but be able to log in anyway.

    Don't know about the wildcard idea - it rather defeats the object of known_hosts though...
    Happily using Linux since 1998
    Share & Enjoy

  3. #3

    Default Re: .ssh/known_hosts:

    Hi,

    Thanks for you reply.

    Not sure where to turn strict checking off.

    Could you point me in the right direction?

    Regards, Sam

  4. #4

    Default Re: .ssh/known_hosts:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    /etc/ssh/ssh_config

    Before you do it, though, it's not a good thing to have disabled....

    Good luck.





    samwootton wrote:
    > Hi,
    >
    > Thanks for you reply.
    >
    > Not sure where to turn strict checking off.
    >
    > Could you point me in the right direction?
    >
    > Regards, Sam
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK5y6VAAoJEF+XTK08PnB5wBcQAI4DfYPD6knPtwd7ve4rsTxX
    L9Djsua0sQL1m3R1dsUlhHDtomFPb/KcdWKl1xKmdavSFuDsHnA74UWxGtBBDknI
    zWzhkTCWVeVUsWQ4M/gRe2kD5zPA0kECXfuUbeVKcI6q2Zc3QLZFR8nvyFHKdzza
    lza8bCiVXt//9IF5sp6wQO0TPO1sFfeyMDDiO0c4n0qFdYFGDhyUCVSGCngDc6B+
    MVf+N/Z2s4qPiNdWgy8k8ztzlsiU5/uMIw9/vVvUQuUmaCLDxnLy8HlPRXnCLUbR
    mWsg7yRIhgwNyO0InSU+p1K49IVEM7TkZC1a5k9YJ0QGdMcHbjWCai5NLqXc73WG
    Oxab2K0bEZUH/DgEoe7tREOqNDfzioIz/q7Hh4q33qbyZuahJMmSlvaGTA9EA/oV
    rAWhiXYIzQBzdxDrJkQ8K2+SIWH2+8mjHoEcfN8jv4Jws7o4+eYU3ja9lx1lbXlu
    lRdTtaC0nttLZOyLmdm0MiFEz0wJLztHRZ5aNuYCX+ym1pSO4fPPEnfT0Gcj2m77
    Ih7W5W08AHsVLj6o4Uxg1vxoPIzzBhYMSqyy4aOS0gXHqhINSmovocBMtNOkPWuO
    enxobvmUeBXUz2AG9ITYSHus2bHfKIMrZcQ/9k4DRFvMfoei2XJavVDp2m4tcxd0
    HtllsJW8l3gFq95kdBwa
    =kstZ
    -----END PGP SIGNATURE-----

  5. #5

    Default Re: .ssh/known_hosts:

    Hey,

    Many thanks for the help.

    So yeah, thats what i was kind of thinking - that it might be unsafe.

    So, how do i go about allowing SSH access on a dynamic IP?

    I have a website hosted on Apache, on a dynamic IP, so need port 22 access for house keeping.

    Thank you.

    Regards, Sam

  6. #6

    Default Re: .ssh/known_hosts:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Use a DNS name if you can... that MAY help (untested by me).

    You can also clean out your ~/.ssh/known_hosts file every time the IP
    changes which gives you security at a reasonable price. The error message
    actually tells you the line to delete if you want to bypass the message:

    Offending key in /home/username/.ssh/known_hosts:28

    Delete line 28 to fix it.

    Good luck.






    samwootton wrote:
    > Hey,
    >
    > Many thanks for the help.
    >
    > So yeah, thats what i was kind of thinking - that it might be unsafe.
    >
    > So, how do i go about allowing SSH access on a dynamic IP?
    >
    > I have a website hosted on Apache, on a dynamic IP, so need port 22
    > access for house keeping.
    >
    > Thank you.
    >
    > Regards, Sam
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK52YcAAoJEF+XTK08PnB5rBUQAJhbJlbqex6b2fGi5ZEVvdXA
    JdhOSErX+9Ej8ZdOomugg/MEU8BpypeYeuu3nzmqeBiHup9wrYIQc7dXbXZK0Ee2
    Uad4DKb+zL7H+7xqgpw0gKrXnLNCpYJ0yqM1hqNUBMqVdp/cmuXygtR9mqtgZqFx
    yijznkh1oZ/8t81uT4bZjs9xJLgweFQu5JoNsLpDEyIri1PRSvzjfeXtdp68kvwR
    zzWlzQHFh4Qjcgn7qdxxDVjaSqdBUycB/IEW0nFE/2Kz7e8ruSmykuwn3sl3QoQa
    xJg5ykKgg0ZmqnvafmpuO/IVkXYxgnS2y+nHqavvRfqaDw6vcO4tsPpo/+fo363H
    JGjuG4BeENyYgRam3MSVxazjNKZ8CKHQn0uQxIzXKPYLMfsQOh+FHeLW7fBjLZBn
    iXaSg1+Ek2iIU78J+ALNtSROpYStF1/W+CtPLx2YBsenxIHzomUrZi2E6Y+dCV7Z
    hkazNStj9E88ZWJ04SVa7ULnNexpJmecelPu2+N7N8h3nVNEFI2D+RJba7EXe350
    6N3FpLEzLPpwoCTprP0/RfuyNSEBGJShp/Fm+KipU2l388QqZeIBgUKDHX9vAomF
    4Ij5hprZuvzetHYWoFWtBHsc5eOWwYumRV8sAA5AhuDEyqVBRaLpm/dwQ67JSW7+
    IaHQeNBs74DZDKaGkzCh
    =rcfA
    -----END PGP SIGNATURE-----

  7. #7

    Default Re: .ssh/known_hosts:

    HI,

    I only have 3 lines in there. And i am not 100% clear on how using a domain name will get around the issue.

    I am using a domain name - and i still get the error, thats the problem.

    Getting slightly more confused here ;]

    Thanks for your help.

    Regards, Sam

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: .ssh/known_hosts:

    It looks to me like what is happening is you are contacting someone else's sshd, hence the warning. Had you contacted your own sshd on a different address, you would have got an advisory, not fatal, that you have a new host and fingerprint. So disabling strict checking is not the solution. You simply do not have a login on someone else's sshd and they might think you are trying to hack them.

    The problem you really need to solve is how to tie your dynamic address to a domain name known to you. What you want is dynamic DNS. Do a search for what this does and for free providers of this service.

  9. #9

    Default Re: .ssh/known_hosts:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The known_hosts file is tied to something used to reach the destination
    server. If you use DNS names then even if the IP changes you're still
    hitting the same box, in theory.

    With that in mind I guess instead of cleaning up known_hosts you could
    also hack /etc/hosts whenever your IP changes though that is a bigger
    hack, in my opinion, as it requires using 'root'.

    Good luck.





    samwootton wrote:
    > HI,
    >
    > I only have 3 lines in there. And i am not 100% clear on how using a
    > domain name will get around the issue.
    >
    > I am using a domain name - and i still get the error, thats the
    > problem.
    >
    > Getting slightly more confused here ;]
    >
    > Thanks for your help.
    >
    > Regards, Sam
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK54slAAoJEF+XTK08PnB5zIEQALLX8HrO72hhZadWXabLVPSF
    4o8ei/pMrSTswgmxfzRWX+ooEmS3VEcigCr66hBgCJpRBQ3VkK9TuvNqm2y2HZzJ
    TBJhYp+ravx/L/sJvbG2wsydS0YG0bRcXzbl7CyUs9H9cvP1L/iLkiX1iE7fjbLO
    b9/TyHWtfRtC9f37kZTCJdSU0DePhQubuhuIYgq+mFQ7JzYoepxihLFetSMo6rDp
    KPTfu1pK1dl8Y9w1uUKTm+fsVXFu4Ac5SJY/XLvMYNjLwLYq6CCVvJJWM65ivxwX
    AVzn0woN9v9PuZvY3Sq9s9iO/+H1riWTeb6sB978OsjVVoTAxzJc8upu0Li+JPOl
    bhwPdS/nPhoOeI+AkK1FG2lsZbmfxN2Qo+UWlGxqkekdU5gHGengj0GtOmHGXQo6
    /2YWTtyG3fa6tCTTHo9tncPSQdGqlZn6fywjJQEp297I1EJO5ymXSZZ7El5n/DiV
    +qxXpEOQSVPuF4/mrKU4UnPgw88SvpE30v1SQ0beOm3XqKVHMnBtFvuZRG1ckfdW
    p8x3O+eHCSGonasMaIMuEWqy0/AnVTkZ1o6ITNFSz5e8FCnDBf+bmr8Uqj9t6kk4
    fdIcFqiv5DPzpfnLQOFogZWXLOvQEu/UZJe02jkaLqFNGmP5bQVDwGN5DV59vcf8
    mBFO4+bsYa97fT6MhJrG
    =cZzs
    -----END PGP SIGNATURE-----

  10. #10

    Default Re: .ssh/known_hosts:

    Ok - firstly, i really appreciate the time takan by members to help.

    I think i didn't explain things properly.

    This machine is running a website, i already use a dynamic DNS solution (dyndns.org), i ran this website on a mac os x for years, then moved to opensuse.

    I cannot ssh to e.g. mydomain.com from any machine, either the machine that Apache is on, or any machine from outside it.

    So:

    1) I have a server that is running Apache.
    2) It hosts mydomain.com
    3) It is on a dynamic IP, that uses a updater from dyndns.org.
    4) How can i SSH in from a changing IP? (as i have dynamic IP)?

    Thanks for any help and advice.

    Regards, Sam

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •