792 瀏覽數

SSH – Remote Host identification has changed

下面這個 SSH 的錯誤訊息是我最常遇到的.

[ben@localhost ~]$ ssh 192.8.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
43:49:ae:32:f7:9a:42:00:a1:c8:b7:51:59:40:40:05.
Please contact your system administrator.
Add correct host key in /home/ben/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/ben/.ssh/known_hosts:2
RSA host key for 192.8.1.1 has changed and you have requested strict checking.
Host key verification failed.

這個發生在妳的 SSH Server 公鑰與上次登入的不一樣,有可能是妳的 Server 換了.只要你確認登入的 SSH Server 沒錯.SSH server 的公開金鑰存放在使用者家目錄 /home/user/.ssh/known_hosts 下,修改 known_hosts 即可以解決上面的問題.關於 SSH 的認證加密請參考 http://benjr.tw/301

修改方式如下:

known_hosts

只要移除使用者的 known_hosts 即可,如 ben 使用者的公鑰檔位於 /home/ben/.ssh/known_hosts ,不過這樣所有的 SSH Server 下次登入還要再同意接受一次公鑰,建議只刪除有衝突的部分即可.

[ben@localhost ~]$ vi .ssh/known_hosts
172.16.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6jTJeCM3Zwg0xJLuH7TgVtVMgV/qPhk1BoxvXBp7bvshlxsI5kteFBowylioH68d+N/1zIhF5HYm7A1v+/r1acYmTMRHLhAVvy9nuV2XOmrCzkyRf8bPL3sFbx5KoUYKK8ALEUN9r4+67+zLEyo/0Asm+QWQqvw4orO9eL6IaSw17iT6zmn5IzyuTg1wblGLlTRbDkYSCNLh0oprcNV59lnaFHaY4QmxXtLl2F7hJQVEmkUuFAxxr5FJ/V6UZ6VAd+iJGpDTSFhSzoDCBvcayHxga9I8ac4d9vl7VNMuHcSLN/dCU77V2Y1K1jO+rT7LOeYIc+av8zemShUuCIuNnQ==
192.8.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2TRGEsk/+2SWeGKRZmf7aAyohGuZnBJYIEkwIqPjLa/6ASaorZj+RxBIP5/sF7W8Dqjae1lkEklOwjNwY6cn3am73FShtupkpAeU70B4RjeXEvRADE1x4b72pIZtgQzhwomCbR8t7OJC+Nn5sPhz10KeDTxliuVXsB+S+6uUYYia7vI9xo0JNLTRoQeoUpKYLltfEJMrFo6OZXxKg3WkQcjN8TNjD8yN2sMQVlloB4iqoSuM7qO4vOZYlPylvLbIh5wwfqnRkOlPlb/+00gruymSUbE8B+6u/dN3VL0Sha2/zaSprvdbDrWBcoW8ozEqxaqAr76RQkYRg11+UNvaqQ==

移除 192.8.1.1 ssh-rsa

[ben@localhost ~]$ cat .ssh/known_hosts
172.16.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6jTJeCM3Zwg0xJLuH7TgVtVMgV/qPhk1BoxvXBp7bvshlxsI5kteFBowylioH68d+N/1zIhF5HYm7A1v+/r1acYmTMRHLhAVvy9nuV2XOmrCzkyRf8bPL3sFbx5KoUYKK8ALEUN9r4+67+zLEyo/0Asm+QWQqvw4orO9eL6IaSw17iT6zmn5IzyuTg1wblGLlTRbDkYSCNLh0oprcNV59lnaFHaY4QmxXtLl2F7hJQVEmkUuFAxxr5FJ/V6UZ6VAd+iJGpDTSFhSzoDCBvcayHxga9I8ac4d9vl7VNMuHcSLN/dCU77V2Y1K1jO+rT7LOeYIc+av8zemShUuCIuNnQ==

ssh-keygen

ssh-keygen 除了可以產生金鑰外,我們也可以透過他來刪除個別 SSH Server 的公鑰.

[ben@localhost ~]$ ssh-keygen -R 192.8.1.1
# Host 192.8.1.1 found: line 2 type RSA
/home/ben/.ssh/known_hosts updated.
Original contents retained as /home/ben/.ssh/known_hosts.old
[ben@localhost ~]$ cat .ssh/known_hosts
172.16.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6jTJeCM3Zwg0xJLuH7TgVtVMgV/qPhk1BoxvXBp7bvshlxsI5kteFBowylioH68d+N/1zIhF5HYm7A1v+/r1acYmTMRHLhAVvy9nuV2XOmrCzkyRf8bPL3sFbx5KoUYKK8ALEUN9r4+67+zLEyo/0Asm+QWQqvw4orO9eL6IaSw17iT6zmn5IzyuTg1wblGLlTRbDkYSCNLh0oprcNV59lnaFHaY4QmxXtLl2F7hJQVEmkUuFAxxr5FJ/V6UZ6VAd+iJGpDTSFhSzoDCBvcayHxga9I8ac4d9vl7VNMuHcSLN/dCU77V2Y1K1jO+rT7LOeYIc+av8zemShUuCIuNnQ==

之後一樣的步驟接受 SSH Server 給的公鑰,就可以登入

[ben@localhost ~]$ ssh root@192.8.1.1
The authenticity of host '192.8.1.1 (192.8.1.1)' can't be established.
RSA key fingerprint is 43:49:ae:32:f7:9a:42:00:a1:c8:b7:51:59:40:40:05.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.8.1.1' (RSA) to the list of known hosts.
root@192.8.1.1's password: 
Last login: Thu Apr 13 11:40:00 2017 from 192.8.1.53

發表迴響