[Bug 662068] [NEW] Removing the offending host key when a server updates should be easier

Scott Ritchie scottritchie at ubuntu.com
Sun Oct 17 11:17:46 BST 2010 

Public bug reported:

If I have a server at a particular IP, and I have an ssh history with
that, ssh will store the key in ~/.known-hosts.  If I then replace that
server, but use the same IP, the server will have a new fingerprint that
will conflict with the one in ~/.known-hosts.

ssh will then, properly, complain about a key mismatch and warn about a
possible man in the middle attack.  This is good design, however if I'm
expecting this error because I knowingly changed the server, it gets
difficult to work around it.

This is the current sort of warning ssh spits out:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for foo.server.com has changed,
and the key for the corresponding IP address 12.34.56.78
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ab:cd:ef:de:ad:be:ef:12:34:56:78:90:de:ad:be:ef.
Please contact your system administrator.
Add correct host key in /home/scott/.ssh/known_hosts to get rid of this message.
Offending key in /home/scott/.ssh/known_hosts:15
RSA host key for wine.budgetdedicated.com has changed and you have requested strict checking.
Host key verification failed.

There are actually two warnings here.  Regardless, there's no clear path
forward -- editing ~/.known-hosts in a text editor (eg nano) isn't
useful, because the IP entries are obscured.  It's also very easy to
miss the fact that the warning is actually telling you a line number
("Offending key in known_hosts:15") -- this should be an explicit
message "Offending key in known_hosts on line 15".  That would be a
simple fix, but it still makes editing larger known_hosts files a pain
(especially in nano, which doesn't have obvious line numbers)

This could be even easier if ssh had some sort of switch to handle this
situation.  A sort of "ssh --I-changed-the-server-key" or "ssh --forget-
key" command.  Some quick searching shows this to be a common problem,
with multiple blog posts describing various ways to fix the situation
(eg sed scripts to remove the particular line)

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: ssh (not installed)
ProcVersionSignature: Ubuntu 2.6.35-22.34-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Sun Oct 17 03:04:06 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: openssh

** Affects: server-papercuts
     Importance: Undecided
         Status: New

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug maverick

** Also affects: server-papercuts
   Importance: Undecided
       Status: New

** Description changed:

  If I have a server at a particular IP, and I have an ssh history with
  that, ssh will store the key in ~/.known-hosts.  If I then replace that
  server, but use the same IP, the server will have a new fingerprint that
  will conflict with the one in ~/.known-hosts.
  
  ssh will then, properly, complain about a key mismatch and warn about a
  possible man in the middle attack.  This is good design, however if I'm
  expecting this error because I knowingly changed the server, it gets
  difficult to work around it.
  
  This is the current sort of warning ssh spits out:
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- The RSA host key for wine.budgetdedicated.com has changed,
+ The RSA host key for foo.server.com has changed,
  and the key for the corresponding IP address 12.34.56.78
  is unknown. This could either mean that
  DNS SPOOFING is happening or the IP address for the host
  and its host key have changed at the same time.
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that the RSA host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  ab:cd:ef:de:ad:be:ef:12:34:56:78:90:de:ad:be:ef.
  Please contact your system administrator.
  Add correct host key in /home/scott/.ssh/known_hosts to get rid of this message.
  Offending key in /home/scott/.ssh/known_hosts:15
  RSA host key for wine.budgetdedicated.com has changed and you have requested strict checking.
  Host key verification failed.
  
- 
- There are actually two warnings here.  Regardless, there's no clear path forward -- editing ~/.known-hosts in a text editor (eg nano) isn't useful, because the IP entries are obscured.  It's also very easy to miss the fact that the warning is actually telling you a line number ("Offending key in known_hosts:15") -- this should be an explicit message "Offending key in known_hosts on line 15".  That would be a simple fix, but it still makes editing larger known_hosts files a pain (especially in nano, which doesn't have obvious line numbers)
+ There are actually two warnings here.  Regardless, there's no clear path
+ forward -- editing ~/.known-hosts in a text editor (eg nano) isn't
+ useful, because the IP entries are obscured.  It's also very easy to
+ miss the fact that the warning is actually telling you a line number
+ ("Offending key in known_hosts:15") -- this should be an explicit
+ message "Offending key in known_hosts on line 15".  That would be a
+ simple fix, but it still makes editing larger known_hosts files a pain
+ (especially in nano, which doesn't have obvious line numbers)
  
  This could be even easier if ssh had some sort of switch to handle this
  situation.  A sort of "ssh --I-changed-the-server-key" or "ssh --forget-
  key" command.  Some quick searching shows this to be a common problem,
  with multiple blog posts describing various ways to fix the situation
  (eg sed scripts to remove the particular line)
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: ssh (not installed)
  ProcVersionSignature: Ubuntu 2.6.35-22.34-generic 2.6.35.4
  Uname: Linux 2.6.35-22-generic x86_64
  NonfreeKernelModules: nvidia
  Architecture: amd64
  Date: Sun Oct 17 03:04:06 2010
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Beta amd64 (20100901.1)
  ProcEnviron:
-  LANG=en_US.utf8
-  SHELL=/bin/bash
+  LANG=en_US.utf8
+  SHELL=/bin/bash
  SourcePackage: openssh

-- 
Removing the offending host key when a server updates should be easier
https://bugs.launchpad.net/bugs/662068
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list