On 20150417_1408-0500, David Wright wrote: > Quoting Paul E Condon (pecon...@mesanetworks.net): > > > I have four desktop machines running Jessie. I try to keep them a;; > > upgraded on whenever new package versions are released. I thought it > > would be fast and simple. I was very wrong. This install behaves very > > differently in the following way: When I attempt to ssh into one of > > the computers that was not re-installed, I get a complaint that: > > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > The RSA host key for gq has changed, > > and the key for the corresponding IP address 192.168.1.12 > > is unknown. This could either mean that > > DNS SPOOFING is happening or the IP address for the host > > and its host key have changed at the same time. > > This I do not receive, perhaps because my router knows my MAC and > gives me my static IP number. > > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > > It is also possible that a host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > 51:cf:52:87:6f:13:43:50:73:29:2c:b4:34:11:cd:5c. > > Please contact your system administrator. > > Add correct host key in /home/pec/.ssh/known_hosts to get rid of this > > message. > > Offending RSA key in /etc/ssh/ssh_known_hosts:3 > > remove with: ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R gq > > RSA host key for gq has changed and you have requested strict checking. > > Host key verification failed. > > This one is very familiar, and is something I wanted to avoid when > installing via ssh and network-console. > > You're presumably running ssh as pec. What I'm not sure about is why > you're using /etc/ssh/ssh_known_hosts rather than > /home/pec/.ssh/known_hosts , because you need root to maintain the > former. > > > I get this same complaint even after I remove the known_hosts file > > entirely. How can the software retain the information that the offending > > line is the third line? It must be doing more than the documentation > > that I have says its doing, > > There are potentially two files. "the known_hosts file" implies you've > deleted one of them. > > > This is a home lan. I use a hosts file to > > inform the several computers of the IP addresses of all the computers in > > the LAN. The file is identical on all computers and hasn't changed sine > > etch. > > Same here. The router doesn't have a resolver, so I type hostnames and > hosts gives me the static IP numbers. > > > In the past, I was given the option of typing the login password of the > > computer that I want to log into, but not now. > > I'm not sure why you call it an "option". The default is to require > typing a password (of the user, not the computer), and we avoid that > by giving the remote host a "question" (our public key, placed it its > authorized_keys file) to which only we know the "answer" (our private > key, in our id_rsa file). > > > I don't understand what I should do with the RSA 'fingerprint' doesn't > > look at all like a legitimate line in a known_host file. How is it used? > > On the odd occasion that I keep the newly-installed host keys (usually > when I notice a new type of key in /etc/ssh/) I type, for example, > $ ssh-keygen -l -v -f /etc/ssh/ssh_host_ecdsa_key.pub > .../ssh-fingerprint > where ... is the place you keep your configuration records. > That's the remote hosts's fingerprint you check when you get the > warning. (I don't know how to get a host to send the randomart.) > > > Where is the source of this occult knowledge? > > man ssh-keygen is your friend. > > > Why does the author of the WARNING presume that there is a different > > person, other than the person reading the message who is the actual > > 'your system administration'? Has someone in NSA or CIA been assigned > > to monitor me, and this message breaches global security because I > > should not be allowed to know that I am being watch? > > Because if you were logging in to your unix account at work, say, > you'd pick up the phone and ask the operators what in h*ll's name are > they up to! In other words, ssh assumes the remote host really is > remote. You (local) get the warning, but the host that might have been > compromised (if it's not man-in-the-middle) is the remote one. > > Cheers, > David.
Thanks, David I'm replying here to your post that was earlier than one that I have already replied to. It is 4:30am for me, and I woke up way before I usually do and couldn't go back to sleep. Now after about an hour of wakefulness, I'm beginning to need more sleep. I haven't pieced together all your comments in logical order because their order was driven by the order to statements in my meandering description. This email will, I hope, place our exchange of emails back in sync. But we shall see if I can maintain this brief flash of rationality. The current situation is for the hardware is not what is was when you wrote, but if I write about it now it will confuse the situation more. Cheers, -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150418105715.ga2...@big.lan.gnu
