Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Concerned about possible crack, ssh warning message
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 31 Jan 2002 09:56:37 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0201310951370.14193-100000@xxxxxxxxxxxx>
>
> jw@suse1:~ > ssh jw@suse2
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA1 host key has just been changed.
> The fingerprint for the RSA1 key sent by the remote host is
> 73:40:ed:40:fd:65:0a:bb:77:a9:2f:f7:9a:2e:54:62.
> Please contact your system administrator.
> Add correct host key in /home/jw/.ssh/known_hosts to get rid of this message.
> Offending key in /home/jw/.ssh/known_hosts:5
> RSA1 host key for emerald has changed and you have requested strict checking.
> jw@suse1:~ >
>
> The last time I ssh'd from 1 to 2 was about 5 hours ago and I received
> no such message. box2 has _not_ been rebooted, I know because my VNC
> session was running with my apps open just the way I set them up. I
> really, really doubt any of the other admins restarted sshd, but
> *maybe*. Also, I've seen messages in /var/log/* before about ssh
> regenerating the key but there are none today.

These messages in /var/log have nothing to do with the server's public key
(that your ssh client was about to verify as it found that it's different
from the last time).

There are three options.

1) Some other machine stole the ip address of suse2, or a
man-in-the-middle attack is in place.
2) The ip address of your host suse2 changed in the dns or elsewhere. By
consequence, you actually connect to some other box.
3) Somebody re-generated the hostkey manually, but that seems less likely.

>
> What do you think?

I vote for option 1. You could see your /home/jw/.ssh/known_hosts file if
you find the key that it's talking about, maybe with a different ip
address. This way it should be easy to find out.

Run arpwatch to see what's going on in the network in terms of changing ip
addresses.

Roman.


< Previous Next >
Follow Ups
References