在Client端以SSH連線到主機時,會要求產生認證資訊,儲存在client端的~/.ssh/known_ssh檔中。
如果有連線到多台不同主機,known_hosts裡面就會記錄許多記錄。
但是,假如server被重灌了,這樣子新的server就和known_hosts裡的狀態不同,
再連線時,就會出現底下錯誤:
conbar@conbar-laptop:~$ ssh root@10.10.10.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6e:65:e0:be:95:2d:a0:77:35:8c:d8:e2:28:d3:42:41.
Please contact your system administrator.
Add correct host key in /home/conbar/.ssh/known_hosts to get rid of this message.
Offending key in /home/conbar/.ssh/known_hosts:10
RSA host key for 10.10.10.1 has changed and you have requested strict checking.
Host key verification failed.
這時,最簡單的方式,就是將known_hosts這個檔刪除,往後再連線主機時,就再重新產生認證資訊就好了。
如果不想全部刪除,也可以用ssh-keyscan,將該host的認證資訊找出
(因為known_hosts裡面一筆一筆的資料都是編碼過,無法直接看出是哪個IP的資訊)
conbar@conbar-laptop:~$ ssh-keyscan 10.10.10.1
# 10.10.10.1 SSH-2.0-OpenSSH_4.3
10.10.10.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3vjUjZKhTxZcJmrRkKTCv3cqXamDAltBPEutcxZ/2fnh9CFlCeEPiA7oJsvW0zXMfJojBacw/yUDxhvG0FQoh/TWV+8dw6s8/rbDv6KCwA0j182b42eAblzn0zvmvTowT/Ivb6v/m7ZewVBAvI4UsSOUZselbL44NxMVfg7UrF/q6xHD9D3J5dZnD1flGj/j/yA1bSjpFIZAcioZG5eCw20CzwLe7hWeKCxqhPm75Mxu5W4B8tWyr5/IIsVyu+12QhO/PJGi9o3tRWtyuFH+D8YkNY9oQiMS6kDakhSdvZyA7JD4GeXvzL5MrDBzreq2yX7eDP3S+X8993bh705G8Q==
然後到known_hosts裡去將該筆資料刪除。
其實,最方便的做法,是以ssh-keygen -R將該host的認證資訊刪除。
conbar@conbar-laptop:~$ ssh-keygen -R 10.10.10.1
/home/conbar/.ssh/known_hosts updated.
Original contents retained as /home/conbar/.ssh/known_hosts.old
再重新連線時,就不會出現錯誤。但是需重新進行認證。
conbar@conbar-laptop:~$ ssh root@10.10.10.1
The authenticity of host '10.10.10.1 (10.10.10.1)' can't be established.
RSA key fingerprint is 6e:65:e0:be:95:2d:a0:77:35:8c:d8:e2:28:d3:42:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.1' (RSA) to the list of known hosts.
root@10.10.10.1's password:
留言列表
ESB (2)