[Info-vax] SSH mysteriously stops working

Ken Fairfield ken.fairfield at gmail.com
Thu May 19 16:33:02 EDT 2011 

On May 19, 8:55 am, hel... at astro.multiCLOTHESvax.de (Phillip Helbig---
undress to reply) wrote:
> In article <d949a$4dd4b9cb$82a13c9d$20... at news1.tudelft.nl>, JOUKJ
>
> <jo... at hrem.nano.tudelft.nl> writes:
> > Did you also try with a "just-created" account which was not used for
> > ssh at all before the test?
>
> Not yet.  Maybe I'll have to.  Here is the message I get when trying to
> get in from outside.  (Contrary to what I mentioned before, OUTGOING
> access seems OK.)
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> The DSA host key for multivax.de has changed,
> and the key for the corresponding IP address 217.226.76.212
> is unchanged. This could either mean that
> DNS SPOOFING is happening or the IP address for the host
> and its host key have changed at the same time.
> Offending key for IP in /home/foobar/.ssh/known_hosts:5
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the DSA host key has just been changed.
> The fingerprint for the DSA key sent by the remote host is
> f1:f2:2f:53:d5:cd:ae:3f:97:90:e5:01:21:33:d4:aa.
> Please contact your system administrator.
> Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this
> message.
> Offending key in /home/foobar/.ssh/known_hosts:1
> DSA host key for multivax.de has changed and you have requested strict
> checking.
> Host key verification failed.
>
> Note that a) I have an IP address which changes usually once a day and
> b) whatever node has the cluster IP address will respond to the incoming
> request.  Both the IP address and also the node with the cluster alias
> have changed in the past.  SSH probably wasn't meant for this sort of
> setup.  Could the problem be that the IP address and the cluster-alias
> node changed at the same time?

When using a cluster alias, you really want all cluster members
to use the same host key.  Under:

  HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 3
  on an hp AlphaServer GS1280 7/1300 running OpenVMS V8.3

the ssh hostkey is located in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2],
where TCPIP$SSH_DEVICE defaults to SYS$SYSDEVICE.

IIRC, you have several system disks in your cluster.  So you
really have two choices:

   1) Reconfigure TCPIP$SSH_DEVICE to point to your
       cluster-common disk (I don't know if this is supported
       of feasible...);

   2) Choose one "master" node, and copy its HOSTKEY. and
       HOSTKEY.PUB to the other cluster members'  ssh
       directories.

Once the change is made, connecting from your various "outside"
systems will ask you to confirm the new hostkey (except for the
node that you copied from).  Just confirm with a "yes" and get
on with your life. :-)  [I think this is all that's needed; you may
need to copy the HOSTKEY.PUB to the outside system, but
I think the SSH protocol will do that for you if you confirm that
you want to connect.]

   -Ken

More information about the Info-vax mailing list