Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Concerned about possible crack, ssh warning message
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 30 Jan 2002 23:34:24 -0600
  • Message-id: <>
Ok, there's the thing. Take everything from here down with a large grain of salt because right now I'm paranoid and apt to jump to conclusions hastily.

I have a few test servers that we use for all kinds of misc. hacking and testing.

I was just looking at one and noticed some things I'm not happy with that make me conclude this box is at least _possibly_ cracked. However, remember we use this as a do-anything-to-it-it-doesn't-matter test box - unstable software and the works, it's a throw-away-install on our LAN. Because of this I can't be sure one of the other guys that have root haven't done the things I'm eying suspiciously

Anyway I'm currently alarmed because the box I'm eyeing is testbox2, and I just tried to ssh from testbox1 to testbox2 and got the following message:

jw@suse1:~ > ssh jw@suse2
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/jw/.ssh/known_hosts to get rid of this message.
Offending key in /home/jw/.ssh/known_hosts:5
RSA1 host key for emerald has changed and you have requested strict checking.
jw@suse1:~ >

The last time I ssh'd from 1 to 2 was about 5 hours ago and I received no such message. box2 has _not_ been rebooted, I know because my VNC session was running with my apps open just the way I set them up. I really, really doubt any of the other admins restarted sshd, but *maybe*. Also, I've seen messages in /var/log/* before about ssh regenerating the key but there are none today.

What do you think?

Jonathan Wilson
System Administrator

Cedar Creek Software
Central Texas IT

< Previous Next >
Follow Ups