Monday, January 06, 2014

On security: Linux known_hosts and the warning The RSA host key for domain has changed

The SSH Host Key fingerprint (at least for a MAC accessing a Ubuntu Server) stored in known_hosts is not built out of the host key but actually the host IP as well. That is the reason even when you copy your existing public and private keys you get the below warning:
$ ssh user@sample.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for sample.com has changed,
and the key for the corresponding IP address 192.168.1.60
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a6:d8:17:45:c3:74:eb:cd:a8:5a:a5:91:37:f8:8c:7f.
Please contact your system administrator.
Add correct host key in /Users/nestor/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/nestor/.ssh/known_hosts:68
RSA host key for sample.com has changed and you have requested strict checking.
Host key verification failed.
This protects the client against spoofing and even though clients could disable "CheckHostIP" that would mean you will be vulnerable to DNS spoofing. Bottom line when changing IP for a domain the clients will need to update their known_hosts file which means they will need to accept the new key and this will be a manual operation.

No comments:

Followers