2 tools that are handy in managing ssh on the cluster are “updatenode -k“ to rerun remoteshell on the nodes (makes sure the hosts got the correct keys during provisioning), and “makeknownhosts” to (re)build the known_hosts file.
Regards, Christian Caruthers Lenovo Professional Services Mobile: 757-289-9872 From: Chiu, Peter (STFC,RAL,RALSP) <peter.c...@stfc.ac.uk> Sent: Sunday, March 7, 2021 05:45 To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: [External] [xcat-user] xcat diskless guests: SSH Key change Warnings Hello all, We have recently upgraded the OS to Centos 7 with xcat diskless nodes. All are running fine as far as we can tell. Just one issue is that each time a diskless node reboots, psh or ssh command issued to the node will trigger a warning message on the ECDSA key change, please see below. The command does works. While we can simply remove the offending entry in .ssh/known_hosts, or through ssh-keygen –R ip_address to clear this for subsequent commands, I wonder if there is any way to prevent the incorrect reporting on the change of the ECDSA key. Clearly the host key has not changed in the boot image, somehow the caller thinks it has. Many thanks. Peter [root@aberdeen ~]# psh rsg15 date rsg15: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ rsg15: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ rsg15: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ rsg15: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! rsg15: Someone could be eavesdropping on you right now (man-in-the-middle attack)! rsg15: It is also possible that a host key has just been changed. rsg15: The fingerprint for the ECDSA key sent by the remote host is rsg15: SHA256:jAAzf23XY1h+VPl7XYKcw9i68cVnw35ZeYDAG6z4SGw. rsg15: Please contact your system administrator. rsg15: Add correct host key in /root/.ssh/known_hosts to get rid of this message. rsg15: Offending ECDSA key in /root/.ssh/known_hosts:19 rsg15: Password authentication is disabled to avoid man-in-the-middle attacks. rsg15: Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. rsg15: Sun 7 Mar 10:24:20 GMT 2021 This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
