Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Concerned about possible crack, ssh warning message
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 30 Jan 2002 23:34:24 -0600
  • Message-id: <5.1.0.14.0.20020130223446.0296eae0@xxxxxxxxxxxxxxxxxxxxxxx>
Ok, there's the thing. Take everything from here down with a large grain of salt because right now I'm paranoid and apt to jump to conclusions hastily.

I have a few test servers that we use for all kinds of misc. hacking and testing.

I was just looking at one and noticed some things I'm not happy with that make me conclude this box is at least _possibly_ cracked. However, remember we use this as a do-anything-to-it-it-doesn't-matter test box - unstable software and the works, it's a throw-away-install on our LAN. Because of this I can't be sure one of the other guys that have root haven't done the things I'm eying suspiciously

Anyway I'm currently alarmed because the box I'm eyeing is testbox2, and I just tried to ssh from testbox1 to testbox2 and got the following message:

jw@suse1:~ > ssh jw@suse2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
73:40:ed:40:fd:65:0a:bb:77:a9:2f:f7:9a:2e:54:62.
Please contact your system administrator.
Add correct host key in /home/jw/.ssh/known_hosts to get rid of this message.
Offending key in /home/jw/.ssh/known_hosts:5
RSA1 host key for emerald has changed and you have requested strict checking.
jw@suse1:~ >

The last time I ssh'd from 1 to 2 was about 5 hours ago and I received no such message. box2 has _not_ been rebooted, I know because my VNC session was running with my apps open just the way I set them up. I really, really doubt any of the other admins restarted sshd, but *maybe*. Also, I've seen messages in /var/log/* before about ssh regenerating the key but there are none today.

What do you think?

----------------------------------------------------
Jonathan Wilson
System Administrator

Cedar Creek Software http://www.cedarcreeksoftware.com
Central Texas IT http://www.centraltexasit.com


< Previous Next >
Follow Ups