SSH Host Verification

How often have you seen something like this?

The authenticity of host '111.222.333.444 (111.222.333.444)' can't be established.
RSA key fingerprint is f3:cf:58:ae:71:0b:c8:04:6f:34:a3:b2:e4:1e:0c:8b.
Are you sure you want to continue connecting (yes/no)? 

The temptation to quickly type yes and hit the enter key is great. But do you know why you are seeing this message?

You should only get this the first time you connect to a new host. After you respond yes the host gets stored in ~/.ssh/known_hosts, and you won’t get prompted the next time you connect.

What is the known_hosts file in SSH?

The known_hosts file stores the public keys of the hosts accessed by a user. This is a very important file that assures that the user is connecting to a legitimate server by saving its identity to your local system. It also helps in avoiding the man-in-the-middle attacks.

Man-In-The-Middle?

A man-in-the-middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application – either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

So what am I agreeing to when I type ‘yes’?

When you type ‘yes’ you are agreeing that this is the first time you are connecting the remote machine. The first time you access a remote machine, SSH prompts you to continue and if you accept, it stores the remote hosts public key in the ~/.ssh/known_hosts file on your machine.

Am I under attack?!

I got this message when trying to log in to a remote machine:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for xyz remote host has changed,and the key for the corresponding IP address xxx.yy.xxx.yy is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
69:4e:bb:70:6a:64:e3:78:07:6f:b4:00:41:07:d8:9c.
Please contact your system administrator.
Add correct host key in /home/.ssh/known_hosts to get rid of this message.
Offending key in /home/.ssh/known_hosts:1
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

YES!

Please don’t ignore this message. A previously secure connection has changed. The remote machine to which you once connected is different. Something is wrong.

Unless….

There can be several reasons you get this message that do not mean you are experiencing a security incident. The most common, in IT professions, is that the remote machine to which you are connecting has changed. This can mean that the remote machine was rebuilt. It can mean that the remote network card (or network interface, in the case of virtual machines) was changed. All we know for sure is that someone connected successfully from your machine (with your credentials) previously and stored the public key of that remote machine which has now changed.

As long as you are aware of the remote change, and trust the fact that the remote machine is safe, you can go about removing the offending key from your known_hosts file. The error message even assists by telling you which key is bad. From the message above:

Offending key in /home/.ssh/known_hosts:1

Simply remove line 1 from the referenced file and try to connect again. You’ll be prompted to accept the new key.

Leave a Comment