My l3g3nd

There is no spoon

Replacing RSA Host Key in Known_hosts File

| Comments

I came across this warning message while I was trying to ssh into one of my Linux boxes and it took me by surprise. At first I thought there is a DNS Spoofing or man-in-the-middle attack as suggested by the message but when I read the message carefully and gave a little more thought I found that its just a warning message. I used the same machine name to ssh once and that added the host key in known_hosts file in my current machine and now I am again using the same machine name but on a different host.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
l3g3ndary@fir3star.l3g3ndary.org:/home/l3g3ndary/.ssh$ ssh l3g3ndary@fir3star.l3g3ndary.org
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for www.mayanksaraswat.com has changed,
and the key for the corresponding IP address x.x.x.x
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d9:b5:d4:64:a3:c9:12:25:aa:1b:d8:a2:13:cf:fe:ed.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:13
RSA host key for fir3star.l3g3ndary.org has changed and you have requested strict checking.
Host key verification failed.

Obviously this wasn’t allowing me to remote into my box and my known_hosts file has many entries and thus making it difficult to figure out which is the right key. So I used the good old “sed” to remove the entry. If you carefully read the message it says

1
2
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:13

So I ran the following command and deleted the entry (d deletes line 13)

1
l3g3ndary@fir3star.l3g3ndary.org:/home/l3g3ndary/.ssh$ sed -i "13d" /root/.ssh/known_hosts

I was able to ssh back again!

Comments