DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,438
Thanked 182 Times in 149 Posts
Default Remove host key from .ssh/known_hosts file

While I was playing with the OpenBSD autoinstall(8) and reinstalled a couple of OpenBSD virtual machines a few times, I decided to do something about the following:
Code:
$  ssh root@192.168.222.251
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Please contact your system administrator.
Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30
ECDSA host key for 192.168.222.251 has changed and you have requested strict checking.
Host key verification failed.
When a new installed system boots a set of new SSH host keys will be generated. The VMs also use DHCP to get an IP address and this is another reason for a host key mismatched with the cached copies in .ssh/known_hosts

Normally I would something like
Code:
$ vi .ssh/known_hosts
30G
dd
:x
And then redo the SSH log in.

I came up with a shell script called rm-known_hosts-key that does the same work :
Code:
$  rm-known_hosts.key 30
                                                     
./rm-known_hosts.key: Creating temp file : /home/adriaan/tmp.pOPEkDP9Ce
-rw-------  1 adriaan  adriaan  0 Dec 20 21:56 /home/adriaan/tmp.pOPEkDP9Ce
Showing line nr 30 ......
192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK106nToXyYV3LfNZg3St7IfRg4AvTxVcJsAK1iOEJGEeG/o7yyaK9bU8zrAx6be1gJnR4Z4WzZYjwHHqoNEobc=
Using sed(1) to copy all lines except line 30 to /home/adriaan/tmp.pOPEkDP9Ce ...

Moving  /home/adriaan/tmp.pOPEkDP9Ce to /home/adriaan/.ssh/known_hosts ...
And then I can log in without that message:
Code:
$  ssh root@192.168.222.251

The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established.
ECDSA key fingerprint is cf:e1:d1:c2:75:96:f3:db:ef:2b:a9:4d:9e:08:6b:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts.
root@192.168.222.251's password: 
Last login: Fri Nov 21 23:39:08 2014 from hercules.utp.xnet
OpenBSD 5.6 (GENERIC.MP) #0: Fri Nov 21 23:23:21 CET 2014

Welcome to OpenBSD: The proactively secure Unix-like operating system.
[snip]
The script reads the file with sed(1) and removes the line with the offending key and stores the modified contents in temporary file created with mktemp(1). Then the temp file is moved to .ssh/known_hosts.

Code:
#!/bin/sh
# j65nko - daemonforums.org
# ISC license
#
# remove key from .ssh/known_hosts by line number

# --- verify numeric argument/option

nr=$(expr "$1" : '\([0-9][0-9]*$\)' )
if [ -z "$nr" ] ; then 
   echo $0: echo Please specify a line number ...
   exit 1 
fi

FILE="${HOME}/.ssh/known_hosts"

#HOME=/root # for testing error condition 

# -- see mktemp(1)

printf "$0: Creating temp file : " 
TEMP=$(env TMPDIR=${HOME} mktemp) || {
        echo $0: Cannot create temp file ; exit 2 
}
echo ${TEMP}

ls -l ${TEMP}

cat <<END
Showing line nr $1 ......
$(sed -ne "$1p" ${FILE})
Using sed(1) to copy all lines except line $1 to ${TEMP} ...
$(sed -e "$1d" ${FILE} > ${TEMP})
Moving  ${TEMP} to ${FILE} ...
END

# for testing error condition
#HOME=/root 
#FILE="${HOME}/.ssh/known_hosts"

mv ${TEMP} ${FILE} || { 
        echo $0: could not move ${TEMP} to ${FILE} !
        exit 3
} 

# ---  end of script ---
You will have noticed that the script is quite "chatty". Feel free to make it less talkative
Another improvement could be to remove the temp file when an error occurs.
Attached Files
File Type: sh rm-known_hosts.key.sh (894 Bytes, 14 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 21st December 2014 at 02:55 PM. Reason: Line number coloured in blue
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 671
Thanked 14 Times in 13 Posts
Default

Question: Isn't the difficulty now just moved to finding the line number you want to remove? For example, you could find that by looking at the file with an editor, but then you might as well remove the line in the editor. I also find that the known_hosts file sometimes may have several references to the same machine, with different name variants perhaps (say, foo and foo.lan) and also by IP address. So several lines may need to be removed.
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,438
Thanked 182 Times in 149 Posts
Default

Because I am consistently lazy I hardly have multiple entries for the same host. And it is not difficult, because the message explicitly mentions the line number:
Code:
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:30
And finding the line with the eye ball method is impossible if you use HashKnownHosts in your .ssh/config.
From ssh_config(5):
Code:
     HashKnownHosts
             Indicates that ssh(1) should hash host names and addresses when
             they are added to ~/.ssh/known_hosts.  These hashed names may be
             used normally by ssh(1) and sshd(8), but they do not reveal
             identifying information should the file's contents be disclosed.
             The default is ``no''.  Note that existing names and addresses in
             known hosts files will not be converted automatically, but may be
             manually hashed using ssh-keygen(1).
So:
Code:
$ tail -1 .ssh/known_hosts

192.168.222.249 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHKXuTGoeWZ1TwAN23cwZzGAfOqjw
H1PZTxV+nUppIPnby4P/r1WPYu7M0YmUz2YEKrP0NkNERK3r/Xqc6PpPbU=

$  ssh-keygen -H -f .ssh/known_hosts
.ssh/known_hosts updated.

Original contents retained as .ssh/known_hosts.old
WARNING: .ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames

$  tail -1 .ssh/known_hosts
|1|DsPj+qiYhGO06l1W5yJQ0+J0VyQ=|sgJdo5xHyq3ncwsD8JLffrMOzEo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAI
bmlzdHAyNTYAAABBBHKXuTGoeWZ1TwAN23cwZzGAfOqjwH1PZTxV+nUppIPnby4P/r1WPYu7M0YmUz2YEKrP0NkNERK3r/Xqc6PpPbU=
As you can see the IP address 192.168.222.249 has now been hashed into |1|DsPj+qiYhGO06l1W5yJQ0+J0VyQ=|sgJdo5xHyq3ncwsD8J LffrMOzEo=
Impossible to find with the eye ball method
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 21st December 2014 at 01:53 PM.
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 671
Thanked 14 Times in 13 Posts
Default

Thanks for the clear explanation, J65nko. I hadn't noticed the line number being in the error message, and wasn't familiar with the hashing option either. So your approach to the problem makes sense to me now.

For what it's worth, here's an alternate approach that occurred to me overnight. It wouldn't work with hashing turned on, but would remove multiple lines if applicable. First one could look up the relevant key in known_hosts, either using the line number or by supplying the host name or IP instead. Then one could remove all lines containing that key using grep -v (for example).

Quote:
Originally Posted by J65nko
Because I am consistently lazy I hardly have multiple entries for the same host.
Maybe my problem is being inconsistently lazy.
Reply With Quote
  #5   (View Single Post)  
Old 22nd December 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
VPN Cryptographer
 
Join Date: Apr 2008
Location: NYC
Posts: 439
Thanked 31 Times in 25 Posts
Default

Meh, I always do sed -i '' 'whateverd' .ssh/known_hosts. (That's on FreeBSD where the -i option needs something, in this case, two single quotes. In Linux, one can just do sed -i, and I don't know what one does in OpenBSD.
Reply With Quote
  #6   (View Single Post)  
Old 22nd December 2014
ibara's Avatar
ibara ibara is offline
BSDCan Attendee
 
Join Date: Jan 2014
Posts: 373
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by scottro View Post
and I don't know what one does in OpenBSD.
perl -pi -e
or
sed > tmpfile && tmpfile > origfile && rm tmpfile
(Perl is part of OpenBSD base, unlike FreeBSD.)
Reply With Quote
  #7   (View Single Post)  
Old 22nd December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,438
Thanked 182 Times in 149 Posts
Default

Too much typing Actually I have a symlink called rmhk:
Code:
lrwxr-xr-x  1 adriaan  adriaan  20 Dec 22 01:42 rmhk -> ./rm-known_hosts.key
If you don't need my script you always can use ex(1)
Code:
[adriaan@hercules]~: cat monkey
line 1
line 2
line 3
line 4
[adriaan@hercules]~: ex monkey
monkey: unmodified: line 4
:2d
line 3
:x
monkey: 3 lines, 21 characters
[adriaan@hercules]~: cat monkey
line 1
line 3
line 4
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 22nd December 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
VPN Cryptographer
 
Join Date: Apr 2008
Location: NYC
Posts: 439
Thanked 31 Times in 25 Posts
Default

Well, less typing than ibara on sed, but more on perl. (But I don't know perl, so, were I on my own, googling how to remove the line would have taken longer.)

To be more specific, I meant that I don't know if OpenBSD's version of sed is like Linux, where one can type sed -i without having to put the ' ' as one does in FreeBSD's version of sed, or not, but I hadn't thought of perl.

Last edited by scottro; 22nd December 2014 at 02:24 AM.
Reply With Quote
  #9   (View Single Post)  
Old 22nd December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,438
Thanked 182 Times in 149 Posts
Default

OpenBSD sed(1) does not support the -i option at all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1 Week Ago
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,438
Thanked 182 Times in 149 Posts
Default

Yesterday, when reading ssh-keygen(1) I noticed that this command has an option to remove a host from .ssh/known_hosts:

Code:
     -R hostname
             Removes all keys belonging to hostname from a known_hosts file.
             This option is useful to delete hashed hosts (see the -H option
             above).
When logging in to newly created OpenBSD vm I saw the familiar warning:

Code:
$ ssh kvm.utp.xnet
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for kvm.utp.xnet has changed,
and the key for the corresponding IP address 192.168.222.230
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
b1:5b:ee:26:25:e6:eb:a7:cd:26:8b:08:d4:53:ff:f5.
Please contact your system administrator.
Add correct host key in /home/adriaan/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/adriaan/.ssh/known_hosts:35
ECDSA host key for kvm.utp.xnet has changed and you have requested strict checking.
Host key verification failed.
Now removing that host entry with $ ssh-keygen:

Code:
$ ssh-keygen -R kvm.utp.xnet
# Host kvm.utp.xnet found: line 35 type ECDSA
/home/adriaan/.ssh/known_hosts updated.
Original contents retained as /home/adriaan/.ssh/known_hosts.old
And I could login without a problem ...
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
.ssh/known_hosts, known_hosts, ssh host key, ssh host key change

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to remove a word and everything after? bigb89 Programming 7 31st August 2014 01:47 AM
How total remove .core file during a dump? aleunix OpenBSD Packages and Ports 3 20th May 2012 06:38 PM
How to remove Gnome and X Malakim Solaris 2 12th April 2009 12:10 PM
Appending to file on remote host via SSH splooge Programming 10 7th June 2008 10:23 PM


All times are GMT. The time now is 03:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick