Nasty gram and errman

reddwarf2956 · #1 8th April 2004, 04:00 AM

I get the following message on one of my LAN computers when I enter:

# scp -p -r IPADDRES OF comp1:/hold/comp1 IPADDRESS OF BACKUP:/hold

and password:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
HEX NUMBERS SEPERATED BY ':'
Please contact your system administrator.
Add correct host key in /USERNAME/.ssh/known_hosts to get rid of this message.
Offending key in /USERNAME/.ssh/known_hosts:2
RSA host key for IP ADDRESS OF comp1 has changed and you have requested strict checking.Host key verification failed.
lost connection

Now I don't think I have a eavesdropper as of now (if there are there I would like to know how?) What I do beleive is that it is me with some incorrect setting. How do I find the correct host key to add to the: /USERNAME/.ssh/known_hosts
file

John

PS

Is there a way, figure out things like this without asking others? Hell I am the "system administrator." I guess what I am asking is there an errman like there is a man with examples of solutions? I know this is a problem the has at less two out comes which are predictable. So there should be some kind of documentation on it and what actions to do.

mars_hall · #2 8th April 2004, 04:16 AM

If I was seeing something like that, I would be going to sleep reading log files. I've been a System Admin for the past 5 years, and I have been know to go into the office at 4 a.m. just to be able to catch them in the act. Just to find out that the virus writers are very clever people sometimes.
Check your log files to see if you have any external people connecting, you should be able to at least get some IP addresses, with that you might be able to deny access from those IPs.

mhelios · #3 8th April 2004, 04:20 AM

Edit the .ssh/known_hosts file (on your host), remove the entry for that hosts key, and reconnect to that host. It will detect that this host is not in the list of known-hosts (as it does when you first connect to a host) and ask you if it is trusted to add to the list.

This is *highly more likely than it being a comprimised host. *But, do have a look around the system just to keep your paranoia levels healthy.

mhelios · #4 8th April 2004, 04:22 AM

BTW, moving to Security forum.

reddwarf2956 · #5 8th April 2004, 04:40 AM

Thanks for the quick answers. I for one am quick to ask for help. so that allow for more sleep.

I do like the warning however. It is not lame like a windows or DOS warning!

I agree I don't think I will find anything, but where to look for this anything?

I still wish there was a error manual to go along with the man manual. Maybe a Rx manual too for common symtom (sp). These are different from than FAQs and HowTo's how I see it, but they lead to FAQs if there is no solution around.

I guess I am thinking to much about the garbage in, garbage out bit.

John

PorkChop · #6 8th April 2004, 10:49 PM

I saw the same message when SSH'ing from work to home, on several of my systems. Liek Mhelios said add the key to .ssh/known_hosts ( I think thats right..

I know *all* the IP's I connect from remotely, so after continued log checking, I fell fairly confident..

If you know the IP's you are connecting from its easier to filter that stuff out..

Good luck..

PorkChop

Jman · #7 9th April 2004, 12:51 AM

Maybe after you get the good key into known_hosts you could print it off or something so you can be sure it doesn't change again. I know it's difficult to whip out the key whenever you connect, but in the future if you get this message you could be sure it didn't change.

The place to start for logs is the Red Hat graphical log viewer. Main Menu > System Tools > System Logs. The security log should be relevant. Also there is an entire directory of logs in /var/log.

reddwarf2956 · #8 9th April 2004, 01:40 AM

OK, I have figured out the why to this problem and fixed it. Having a computer wih eth cards on one network does not work.

With that fix another problem this time with a lame error.

# scp computer.x.com:/dir computer2 IP:/h old
username@computer.x.com's
password:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
lost connection

Now what is wrong?
If I do it from the the other computer I get just:

lost connection

PS I might want to state what I got.

I have a laptop as computer which is battery only (No AC power.) I am writing and browsing here from it.

It is using DHCP.

Computer2 is a desktop with a static IP address, but I think if computer3 handles DNS it can use DHCP.

Computer3 is also a desktop and will have a static IP unless there is a better way. and they are connected using a router.

Computer2 can ping its IP address and the router but no other machines. Comp3 can't ping a thing and has only command line function. (the fun one)

As for firewalls, the laptop has only ssh as trusted using the gui @ System Settings -> Secuirity Level. And currently allows NTP to a IPaddy though its firewall.

Comp2 has ssh and eth0 trusted.

I plan on computer3 to be the mail, DNS. http, and NTP server for the three. Is this good?

Help?

John