Yesterday, when reading
ssh-keygen(1) I noticed that this command has an option to remove a host from
.ssh/known_hosts:
Code:
-R hostname
Removes all keys belonging to hostname from a known_hosts file.
This option is useful to delete hashed hosts (see the -H option
above).
When logging in to newly created OpenBSD vm I saw the familiar warning:
Code:
$ ssh kvm.utp.xnet
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for kvm.utp.xnet has changed,
and the key for the corresponding IP address 192.168.222.230
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
b1:5b:ee:26:25:e6:eb:a7:cd:26:8b:08:d4:53:ff:f5.
Please contact your system administrator.
Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:35
ECDSA host key for kvm.utp.xnet has changed and you have requested strict checking.
Host key verification failed.
Now removing that host entry with
$ ssh-keygen:
Code:
$ ssh-keygen -R kvm.utp.xnet
# Host kvm.utp.xnet found: line 35 type ECDSA
/home/adriaan/.ssh/known_hosts updated.
Original contents retained as /home/adriaan/.ssh/known_hosts.old
And I could login without a problem ...