Friday, April 23, 2010

Locked out of my own website!

I tried to ssh into our server, now hosted at linode.net. I got a notice, all scary-like:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for zimres.net has changed,
and the key for the corresponding IP address 74.207.247.190
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/valorie/.ssh/known_hosts:4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

Of course, that last bit is the important part. The host key has been changed. How to fix that at my end? My son said to edit out the line in my ~/.ssh/known_hosts file. However, when I opened Kate to edit it, I saw:

|1|2ZZc4RXTORIrgsDBWb2zqWRRw8s=|ZJCjvrfPLAEPwVQ6lGdYtVhoAK0= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqp3hNrWz5ZWwogg1In70rBynezwkleYbOAgtDdbR7dfrcGJC/deLeprn+bXgfeO058EeHqAeU0be5tn1siui+GWm9rQ1PEfrT46fZCgSWeZVYVcQ5vRQItN/a6XFe00WPWrYEhXwgmM6la2gm8kOa5kCTSDOIN8v5XcqA85Pbnd57zmAcVWejaYndk1SkO9V1ctrxz8yGM6NuN+ThawQaLa1tWuj4aKFNWj2DBc3Dyx1IztUFdN0GcIRRg47qwU7KQGqv/2g77gsRmSvVILrRy1CR82lrsxpo5SdvMkqFJQSz/jyTN1x/6FbGJjAwkhIBQXkpQyxmQwzFb/Hf/pgMw==
|1|qZ+nY7U1kgMnDp26n6sdtbh+lmQ=|KGnxdNek7Rs137p3NgH3ZaLijdI= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqp3hNrWz5ZWwogg1In70rBynezwkleYbOAgtDdbR7dfrcGJC/deLeprn+bXgfeO058EeHqAeU0be5tn1siui+GWm9rQ1PEfrT46fZCgSWeZVYVcQ5vRQItN/a6XFe00WPWrYEhXwgmM6la2gm8kOa5kCTSDOIN8v5XcqA85Pbnd57zmAcVWejaYndk1SkO9V1ctrxz8yGM6NuN+ThawQaLa1tWuj4aKFNWj2DBc3Dyx1IztUFdN0GcIRRg47qwU7KQGqv/2g77gsRmSvVILrRy1CR82lrsxpo5SdvMkqFJQSz/jyTN1x/6FbGJjAwkhIBQXkpQyxmQwzFb/Hf/pgMw==
|1|U+ZwcJShMD52Hxfk+BnxgfDnH4o=|QepSzrHlsR1vchO12+soBb1mAwo= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAysa2byLN+E1SeM8Wo7kMGLE+BPAg3nkKg5OhKmssRj945kKuqCBy3wvwVcrfe4zSvVMfotN06tAvmdflFokNXv9ANZJ9qu42HeFxNwkIz04w5E9YeHEG4rTtUW0dSsp13kcaU5Jp3z60C4QNUfZuNOGQmV+yYlOCiLXgR6eYmtkC+/hKZhPkO4GbxwLlEzW5Rzd8vy5czN87Pnr4Z1a/g+T+xKil8B2K41160+GQQNIPfYUCGnA9ccw1kRmWIYV+omJieXiigawUvhnQoHmWRllUhOq6y5jhvQVseO7S+EVFobMFxZ/P2+SzOlg2KaZu/8M0YZtxcrSM8NHnZLq+iw==
|1|b6NemVdIE2FvkU5/cH5FXaDbUks=|Hr4ppmN0hOhCb5ey2NS1yaeuits= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAysa2byLN+E1SeM8Wo7kMGLE+BPAg3nkKg5OhKmssRj945kKuqCBy3wvwVcrfe4zSvVMfotN06tAvmdflFokNXv9ANZJ9qu42HeFxNwkIz04w5E9YeHEG4rTtUW0dSsp13kcaU5Jp3z60C4QNUfZuNOGQmV+yYlOCiLXgR6eYmtkC+/hKZhPkO4GbxwLlEzW5Rzd8vy5czN87Pnr4Z1a/g+T+xKil8B2K41160+GQQNIPfYUCGnA9ccw1kRmWIYV+omJieXiigawUvhnQoHmWRllUhOq6y5jhvQVseO7S+EVFobMFxZ/P2+SzOlg2KaZu/8M0YZtxcrSM8NHnZLq+iw==

What the heck? I went to #linuxchix to seek counsel, and rik was around to tell me that that's a hash of the hostnames. He said, "the idea of hashing the hostnames was to stop an exploit [of someone who] got in as one user then using your keys (if you had then in an agent) to ssh in to every other host in your known_hosts file." Which would be a bad thing!

So in the console, I ran ssh-keygen -R zimres.net
and got back: /home/valorie/.ssh/known_hosts updated.
Original contents retained as /home/valorie/.ssh/known_hosts.old

and wooooohooooooooooo I'm in!

Thank you Thomas, rik and the linuxchix!

Thanks to all my commenters, too. Once I knew what was going on, the error message made more sense to me. That's the problem with error messages the first time you see them; you don't know enough to make sense of them. Often I google the error feedback in quotes, and sometimes that gets me the answer I need. Perhaps I should have tried that this time, but whining in IRC worked faster. :-)

8 comments:

  1. "Offending key for IP in /home/valorie/.ssh/known_hosts:4"
    BTW the :4 refers to line 4 in the file.

    ReplyDelete
  2. The error:
    Offending key for IP in /home/valorie/.ssh/known_hosts:4

    The last digit is the line number. So vi .ssh/known_hosts, 4G, dd, :wq

    Slightly easier :)

    ReplyDelete
  3. Offending key for IP in /home/valorie/.ssh/known_hosts:4 tells you it's line number four you need.

    ReplyDelete
  4. "Offending key for IP in /home/valorie/.ssh/known_hosts:4"

    You just need to remove 4th line as indicated at the end of the message ":4"

    ReplyDelete
  5. "Offending key for IP in /home/valorie/.ssh/known_hosts:4"
    ^^^^
    That line was to tell you it was the 4th key

    ReplyDelete
  6. ssh tells you the exact line in known_hosts which contains the offending key.

    Here it is from your error message:
    Offending key for IP in /home/valorie/.ssh/known_hosts:4

    But of course the ssh-keygen -R is a nice solution too :)

    ReplyDelete
  7. Another thing that you could have done was look at the error code. Specifically the line that says " Offending key for IP in /home/valorie/.ssh/known_hosts:4 " The last part there gives you a colon followed by a number. That line is the one with the key causing the issue. So if you wanted to test it you could comment out that line and try reconnecting. Or just delete the 4th line in this case.

    Hope that helps in the future. Did you contact the hosting company to find out why they changed the key?

    ReplyDelete
  8. So many messages and not one thought of pointing out that the error message tells you which line you had to remove from the known_hosts file! Actually the ":4" in the message tells you just that.

    Anyway I also have something serious to add:

    Edit your /etc/ssh/ssh_config file and change/remove/comment the line that says HashKnownHosts yes. Then lines added in known_hosts in the future will contain the unscrambled host names so that you can tab-complete them etc.
    Hashing host names makes no sense anyway unless you scramble your shell history as well.

    ReplyDelete