View Single Post
  #1   (View Single Post)  
Old 20th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,503
Default Remove host key from .ssh/known_hosts file

While I was playing with the OpenBSD autoinstall(8) and reinstalled a couple of OpenBSD virtual machines a few times, I decided to do something about the following:
Code:
$  ssh root@192.168.222.251
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Please contact your system administrator.
Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30
ECDSA host key for 192.168.222.251 has changed and you have requested strict checking.
Host key verification failed.
When a new installed system boots a set of new SSH host keys will be generated. The VMs also use DHCP to get an IP address and this is another reason for a host key mismatched with the cached copies in .ssh/known_hosts

Normally I would something like
Code:
$ vi .ssh/known_hosts
30G
dd
:x
And then redo the SSH log in.

I came up with a shell script called rm-known_hosts-key that does the same work :
Code:
$  rm-known_hosts.key 30
                                                     
./rm-known_hosts.key: Creating temp file : /home/adriaan/tmp.pOPEkDP9Ce
-rw-------  1 adriaan  adriaan  0 Dec 20 21:56 /home/adriaan/tmp.pOPEkDP9Ce
Showing line nr 30 ......
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK106nToXyYV3LfNZg3St7IfRg4AvTxVcJsAK1iOEJGEeG/o7yyaK9bU8zrAx6be1gJnR4Z4WzZYjwHHqoNEobc=
Using sed(1) to copy all lines except line 30 to /home/adriaan/tmp.pOPEkDP9Ce ...

Moving  /home/adriaan/tmp.pOPEkDP9Ce to /home/adriaan/.ssh/known_hosts ...
And then I can log in without that message:
Code:
$  ssh root@192.168.222.251

The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password: 
Last login: Fri Nov 21 23:39:08 2014 from hercules.utp.xnet
OpenBSD 5.6 (GENERIC.MP) #0: Fri Nov 21 23:23:21 CET 2014

Welcome to OpenBSD: The proactively secure Unix-like operating system.
[snip]
The script reads the file with sed(1) and removes the line with the offending key and stores the modified contents in temporary file created with mktemp(1). Then the temp file is moved to .ssh/known_hosts.

Code:
#!/bin/sh
# j65nko - daemonforums.org
# ISC license
#
# remove key from .ssh/known_hosts by line number

# --- verify numeric argument/option

nr=$(expr "$1" : '\([0-9][0-9]*$\)' )
if [ -z "$nr" ] ; then 
   echo $0: echo Please specify a line number ...
   exit 1 
fi

FILE="${HOME}/.ssh/known_hosts"

#HOME=/root # for testing error condition 

# -- see mktemp(1)

printf "$0: Creating temp file : " 
TEMP=$(env TMPDIR=${HOME} mktemp) || {
        echo $0: Cannot create temp file ; exit 2 
}
echo ${TEMP}

ls -l ${TEMP}

cat <<END
Showing line nr $1 ......
$(sed -ne "$1p" ${FILE})
Using sed(1) to copy all lines except line $1 to ${TEMP} ...
$(sed -e "$1d" ${FILE} > ${TEMP})
Moving  ${TEMP} to ${FILE} ...
END

# for testing error condition
#HOME=/root 
#FILE="${HOME}/.ssh/known_hosts"

mv ${TEMP} ${FILE} || { 
        echo $0: could not move ${TEMP} to ${FILE} !
        exit 3
} 

# ---  end of script ---
You will have noticed that the script is quite "chatty". Feel free to make it less talkative
Another improvement could be to remove the temp file when an error occurs.
Attached Files
File Type: sh rm-known_hosts.key.sh (894 Bytes, 47 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 21st December 2014 at 02:55 PM. Reason: Line number coloured in blue
Reply With Quote