DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 20th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Remove host key from .ssh/known_hosts file

While I was playing with the OpenBSD autoinstall(8) and reinstalled a couple of OpenBSD virtual machines a few times, I decided to do something about the following:
Code:
$  ssh root@192.168.222.251
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Please contact your system administrator.
Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30
ECDSA host key for 192.168.222.251 has changed and you have requested strict checking.
Host key verification failed.
When a new installed system boots a set of new SSH host keys will be generated. The VMs also use DHCP to get an IP address and this is another reason for a host key mismatched with the cached copies in .ssh/known_hosts

Normally I would something like
Code:
$ vi .ssh/known_hosts
30G
dd
:x
And then redo the SSH log in.

I came up with a shell script called rm-known_hosts-key that does the same work :
Code:
$  rm-known_hosts.key 30
                                                     
./rm-known_hosts.key: Creating temp file : /home/adriaan/tmp.pOPEkDP9Ce
-rw-------  1 adriaan  adriaan  0 Dec 20 21:56 /home/adriaan/tmp.pOPEkDP9Ce
Showing line nr 30 ......
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK106nToXyYV3LfNZg3St7IfRg4AvTxVcJsAK1iOEJGEeG/o7yyaK9bU8zrAx6be1gJnR4Z4WzZYjwHHqoNEobc=
Using sed(1) to copy all lines except line 30 to /home/adriaan/tmp.pOPEkDP9Ce ...

Moving  /home/adriaan/tmp.pOPEkDP9Ce to /home/adriaan/.ssh/known_hosts ...
And then I can log in without that message:
Code:
$  ssh root@192.168.222.251

The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password: 
Last login: Fri Nov 21 23:39:08 2014 from hercules.utp.xnet
OpenBSD 5.6 (GENERIC.MP) #0: Fri Nov 21 23:23:21 CET 2014

Welcome to OpenBSD: The proactively secure Unix-like operating system.
[snip]
The script reads the file with sed(1) and removes the line with the offending key and stores the modified contents in temporary file created with mktemp(1). Then the temp file is moved to .ssh/known_hosts.

Code:
#!/bin/sh
# j65nko - daemonforums.org
# ISC license
#
# remove key from .ssh/known_hosts by line number

# --- verify numeric argument/option

nr=$(expr "$1" : '\([0-9][0-9]*$\)' )
if [ -z "$nr" ] ; then 
   echo $0: echo Please specify a line number ...
   exit 1 
fi

FILE="${HOME}/.ssh/known_hosts"

#HOME=/root # for testing error condition 

# -- see mktemp(1)

printf "$0: Creating temp file : " 
TEMP=$(env TMPDIR=${HOME} mktemp) || {
        echo $0: Cannot create temp file ; exit 2 
}
echo ${TEMP}

ls -l ${TEMP}

cat <<END
Showing line nr $1 ......
$(sed -ne "$1p" ${FILE})
Using sed(1) to copy all lines except line $1 to ${TEMP} ...
$(sed -e "$1d" ${FILE} > ${TEMP})
Moving  ${TEMP} to ${FILE} ...
END

# for testing error condition
#HOME=/root 
#FILE="${HOME}/.ssh/known_hosts"

mv ${TEMP} ${FILE} || { 
        echo $0: could not move ${TEMP} to ${FILE} !
        exit 3
} 

# ---  end of script ---
You will have noticed that the script is quite "chatty". Feel free to make it less talkative
Another improvement could be to remove the temp file when an error occurs.
Attached Files
File Type: sh rm-known_hosts.key.sh (894 Bytes, 102 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 21st December 2014 at 02:55 PM. Reason: Line number coloured in blue
Reply With Quote
 

Tags
.ssh/known_hosts, known_hosts, ssh host key, ssh host key change

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to remove a word and everything after? bigb89 Programming 7 31st August 2014 01:47 AM
How total remove .core file during a dump? aleunix OpenBSD Packages and Ports 3 20th May 2012 06:38 PM
How to remove Gnome and X Malakim Solaris 2 12th April 2009 12:10 PM
Appending to file on remote host via SSH splooge Programming 10 7th June 2008 10:23 PM


All times are GMT. The time now is 10:58 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick