fignerprint

  1. 遠端主機重建後,主機指紋(fignerprint) 會不一樣,ssh 無法登入,必須刪除 ~/.ssh/known_hosts 中信任主機的紀錄,才能重新記錄新的遠端主機。若直接刪除 ~/.ssh/known_hosts 則檔案中的所有信任主機紀錄都刪除。
    [dywang@dywssd ~]$ ssh root@kvm7.deyu.wang
    key_from_blob: remaining bytes in key blob 3
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    The RSA host key for kvm7.deyu.wang has changed,
    and the key for the corresponding IP address 192.168.122.7
    is unchanged. This could either mean that
    DNS SPOOFING is happening or the IP address for the host
    and its host key have changed at the same time.
    Offending key for IP in /home/dywang/.ssh/known_hosts:32
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that the RSA host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is
    0b:57:84:7d:e0:62:d8:80:0f:64:58:22:c5:ba:ee:b8.
    Please contact your system administrator.
    Add correct host key in /home/dywang/.ssh/known_hosts to get rid of this message.
    Offending key in /home/dywang/.ssh/known_hosts:33
    Password authentication is disabled to avoid man-in-the-middle attacks.
    Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    
  2. 原因為客戶端第一次 SSH 連線時已產生一個認證,如果伺服器端重灌,認證資訊當然也會更改,伺服器端與客戶端不同時,就會跳出此錯誤訊息。解決方式為客戶端重新產生認證。
    [root@dywH ~]# ssh-keygen -R 192.168.122.7 -y
    
  3. 如果只是練習系統,沒有其他信任主機,也可以直接刪除 ~/.ssh/known_hosts,檔案中的所有信任主機紀錄都刪除。
    [dywang@dywssd ~]$ rm -f /home/dywang/.ssh/known_hosts