HPE Community
Operating System - HP-UX
1834809 Members
2636 Online
110070 Solutions
New Discussion

Re: PKI - Public Keys not working after rebuild and copying key from a good system

 
Fernando Thompson
Occasional Contributor

‎08-14-2008 01:20 PM

‎08-14-2008 01:20 PM

PKI - Public Keys not working after rebuild and copying key from a good system

I have recently reimaged an HP3750 running hp-ux 11.11. The keys no longer work for a perticular user. I can't just change the key as I would have to do so for every system in the network.

The error is


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
cx:2x:67:13:x8:83:02:38:38:97:x2:92:x6:x2:x1:46.
Please contact your system administrator.
Add correct host key in /home/hotline/.ssh/known_hosts to get rid of this message.
Offending key in /home/hotline/.ssh/known_hosts:3
RSA host key for "hostname" has changed and you have requested strict checking.
Host key verification failed.




I have copied the key from the other system. and placed it on the newly images system. I still get the same error message. We have checked the hosts file and ip addresses everything is right. Below is some degugging info from ssh -vvv "username@hostname" commnd




debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2-hpn
debug1: match: OpenSSH_4.3p2-hpn pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 113/256
debug2: bits set: 508/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/hotline/.ssh/known_hosts
debug3: check_host_in_hostfile: filename /home/hotline/.ssh/known_hosts

at this piont the we get the error

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
cx:2x:67:13:x8:83:02:38:38:97:x2:92:x6:x2:x1:46.
Please contact your system administrator.
Add correct host key in /home/hotline/.ssh/known_hosts to get rid of this message.
Offending key in /home/hotline/.ssh/known_hosts:3
RSA host key for "hostname" has changed and you have requested strict checking.
Host key verification failed.
0 Kudos
Reply
2 REPLIES 2
Steven Schweda
Honored Contributor

‎08-14-2008 02:34 PM

‎08-14-2008 02:34 PM

Re: PKI - Public Keys not working after rebuild and copying key from a good system

> Offending key in /home/hotline/.ssh/known_hosts:3

Throw away the old/wrong _host_ key in the
user's "/home/hotline/.ssh/known_hosts"?

Then, be prepared to answer "yes" once at the
next connection attempt.
0 Kudos
Reply
Deepak Kr
Respected Contributor

‎08-14-2008 02:58 PM

‎08-14-2008 02:58 PM

Re: PKI - Public Keys not working after rebuild and copying key from a good system

No worries:

You just need to update the latest information about hosts in
/home/hotline/.ssh/known_hosts

You better take a backup of existing known_hosts

mv known_hosts known_hosts.bak
touch known_hosts
try connecting again and give yes whenever asked to add the host identification information.

This is one time job....
"There is always some scope for improvement"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.