- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: openssh upgrade causes havoc !
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2011 02:10 PM
тАО05-03-2011 02:10 PM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2011 02:41 PM
тАО05-03-2011 02:41 PM
Re: openssh upgrade causes havoc !
On what?
uname -a
Of what, exactly, from what to what?
ssh -V
[Before and after would be good.]
As usual, copy+paste of an actual error
message might be more helpful than some loose
interpretation of what you saw in some
undisclosed context.
If you somehow generated new host keys, then
things which remember an old host key may
rightly be quizical when you come around with
the new host key, claiming to be the same old
fellow.
Cleaning the junk out of known_hosts data
collections should help, but then you can
expect to see the usual first-time messages
when the server system(s) see the new key for
the first time.
If you can find and replace the old host
keys, then you might avoid some work.
(Assuming that the old keys would be
compatible with the new software. Hard to be
confident, given practically no useful info
about anything, but running the experiment
might be easy.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2011 04:17 PM
тАО05-03-2011 04:17 PM
Re: openssh upgrade causes havoc !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2011 06:01 PM
тАО05-03-2011 06:01 PM
Re: openssh upgrade causes havoc !
> issue [...]
Is that anything like a _problem_?
> [...] ever think of that????
Sadly, my (very weak) psychic powers are not
strengthened by the urgency of your
situation, so it doesn't really matter, does
it? If you want more than guesswork, then you
may need to supply some useful background
info, irregardful. I see that you had time
to whine, though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2011 10:25 PM
тАО05-03-2011 10:25 PM
SolutionIf you accidentally deleted the original host keys (or did not move them to the correct directory, or convert them to the right format if you upgraded from commercial SSH to OpenSSH), then all your clients that have connected to the server before will receive warnings. Sshd cannot function without host keys, so if the host keys are not available or seem corrupted, sshd will regenerate them.
The easiest way for you to fix this would be to restore the original host keys from your old backups (you DO have backups, right?), convert them to the OpenSSH format if necessary, and then replace the current hostkeys with the original ones. But if some of your clients have already accepted the new key, those clients will now see the old key as "wrong" and the new key as "right". So you will need to tell your clients what is happening in every case. You cannot force the clients to accept the new key from the server side: that would defeat the purpose of having the host key.
If you cannot find the old host keys, the client-side workaround is to remove the old host key record from the client-side ~/.ssh/known_hosts files (or from Windows registry, or from whatever storage method the client uses), then connect once and accept the new key.
If your version of ssh client has the HashKnownHosts setting enabled (as is the default for new versions of OpenSSH), then you cannot simply read the known_hosts file to identify the correct line to remove: the host keys are hashed to make them unidentifiable by eye. In that case, you must make one connection attempt and look at the error message presented to the client to find the number of the line to remove from the client's known_hosts file. You may need to do this twice for some OpenSSH versions, to find and remove both by-hostname and by-IP host key records.
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2011 04:09 AM
тАО05-04-2011 04:09 AM
Re: openssh upgrade causes havoc !
I'm not 100% sure but maybe a simple
# ssh-keygen -R hostname
would solve the issue even if known_hosts is hashed. Worth a try...
Unix operates with beer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2011 04:23 AM
тАО05-04-2011 04:23 AM
Re: openssh upgrade causes havoc !
Yes. This happens anytime you change the software because you are using a new key. It complains about the potential Man in the Middle attack.
"Any solution with known hosts or authorized_keys to keep it from happening? "
Looks like you got your answers above.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2011 07:50 AM
тАО05-04-2011 07:50 AM
Re: openssh upgrade causes havoc !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2011 10:22 AM
тАО05-04-2011 10:22 AM
Re: openssh upgrade causes havoc !
It's too bad that that first "snide" response
didn't suggest that. Oh, wait ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2011 10:39 AM
тАО05-04-2011 10:39 AM