Přeskočit na hlavní obsah

Ignore the boring SSH error message - Host identification has changed!

The problem

If you work with virtual machines in clouds, or you run an SSH server in Docker containers, then you've probably met the following error message during making ssh connection:
(I'm connecting through SSH to a docker container)
~$ ssh -p 8822 root@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:smYv5yA0n9/YrBgJMUCk5dYPWGj7bTpU40M9aFBQ72Y.
Please contact your system administrator.
Add correct host key in /home/jcacek/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/jcacek/.ssh/known_hosts:107
  remove with:
  ssh-keygen -f "/home/jcacek/.ssh/known_hosts" -R [localhost]:8822
ECDSA host key for [localhost]:8822 has changed and you have requested strict checking.
Host key verification failed.
And as a result the ssh refused to connect to requested server.

The problem is, you are reusing the host/port combination which was already registered in your system and the SSH client tries to keep you on a safe side. It doesn't connect to a server whose public key doesn't match the one registered in your system.

The obvious solution

Yes, I know. You say, the message suggest me a solution. Just to run
ssh-keygen -f "/home/jcacek/.ssh/known_hosts" -R [localhost]:8822
... and everything works correctly. Or doesn't it? Let's try.
~$ ssh -p 8822 root@localhost
The authenticity of host '[localhost]:8822 ([127.0.0.1]:8822)' can't be established.
ECDSA key fingerprint is SHA256:smYv5yA0n9/YrBgJMUCk5dYPWGj7bTpU40M9aFBQ72Y.
Are you sure you want to continue connecting (yes/no)?
Oh My Java! I have to write "yes". And No! the "y", "Y", "yep" etc. don't work.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': Y
Please type 'yes' or 'no': yep
Please type 'yes' or 'no': I give up!
Please type 'yes' or 'no': 
So it's really irritating and it takes time to handle it.

The real solution

So what can we do with it? Just add some more arguments to our ssh command
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 8822 root@localhost
By using the UserKnownHostsFile option we said we don't want to use ~/.ssh/known_host file, but rather the one provided as a value of this option. And the /dev/null is always empty (i.e. it can't cause a conflict with the checked server key).

The "no" value in StrictHostKeyChecking option disables the question if the new key can be stored into the provided known hosts file.

To make it simpler, just add an alias into your system. E.g. this is a line in my ~/.bash_aliases file:
alias sshx='ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

Warning

Use this only if you are aware of risks coming from the relaxing SSH security mechanisms.

Komentáře

expee píše…
You can use also following in your ~/.ssh/config. Wildcard could be also something like 127.* or 192.168.*


Host *
StrictHostKeyChecking no

Then you don't need aliases and other stuff.
Josef Cacek píše…
The changes in the ~/.ssh/config apply then to all connections - until you override them again by -o switch.

So, for me it's simpler to have both options available - original ssh for the safe variant and the alias sshx for the not-so-safe variant (cases in which the IP addresses are reused frequently by VMs).

Populární příspěvky z tohoto blogu

Zipujeme efektivně

Jedna ze základních vlastností Javy je práce se ZIP archívy, ať už jsou to knihovny tříd a spustitelné JARy, webové aplikace (war), nebo třeba JEE bumbrlíčci (ear). Není tedy divu, že i přímo v základním API je implementována práce s těmito archívy. Slouží k tomu třídy v balíku java.util.zip a nejzajímavější z nich jsou ZipOutputStream a ZipInputStream. Příkladem budiž vytvoření zipu: //Vytvorime Zip ZipOutputStream zos = new ZipOutputStream(new FileOutputStream("javlog.zip")); //V Zipu chceme mit jeden textovy soubor zos.putNextEntry(new ZipEntry("priznani.txt")); //naplnime obsah textoveho souboru zos.write("Máme rádi Javu!".getBytes()); //zavrem entry (priznani.txt) zos.closeEntry(); //zavrem stream zos.close(); a jeho rozbalení: ZipInputStream zis = new ZipInputStream(new FileInputStream("javlog.zip")); ZipEntry zipEntry; //budem predpokladat, ze v ZIPu mame jen textove soubory a tak je vypisem do konzole while ((zipEntry = zis.getNextE

Three ways to redirect HTTP requests to HTTPs in WildFly and JBoss EAP

WildFly application server (and JBoss EAP) supports several simple ways how to redirect the communication from plain HTTP to TLS protected HTTPs. This article presents 3 ways. Two are on the application level and the last one is on the server level valid for requests to all deployments. 1. Request confidentiality in the deployment descriptor The first way is based on the Servlet specification. You need to specify which URLs should be protected in the web.xml deployment descriptor. It's the same approach as the one used for specifying which URLs require authentication/authorization. Just instead of requesting an assigned role, you request a transport-guarantee . Sample content of the WEB-INF/web.xml <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1

jd-cli – Command line Java Decompiler

Kdo by neznal jd-gui Java Decompiler (z free.fr) a jeho sourozence, pluginy pro IDE – Eclipse a IntelliJ. Ale nechyběla vám také někdy možnost rychle decompilovat celý JAR nebo WAR do adresáře, případně zobrazit si decompilovanou třídu jen v konzoli bez nutnosti spouštění GUI? Jestliže ano, pak se zkuste podívat na utilitku jd-cli , která toto všechno umožňuje. Tato aplikace je jednoduchý wrapper nad nativní knihovnou pro jd-gui InelliJ plugin. Kde všude tato java aplikace běží? Windows Linux Mac OSX Kompilace Potřebujete git a Maven. git clone git@github.com:kwart/jd-cmd.git cd jd-cmd mvn clean package Rozbalte jd-cli-[version].zip (.tar.gz) někam, kam odkazuje systémová PATH proměnná ( C:\Windows nebo $HOME/bin ) - distribuce obsahuje i spouštěcí skripty (shell a batch), takže pak už jen vesele voláte jd-cli [aParametry] Příklady použití jd-cli HelloWorld.class Zobrazí dekompilovanou třídu v konzoli jd-cli --skipResources -n -g ALL app.jar Dekompiluje obsah