[Info-vax] SSH mysteriously stops working

[JOUKJ]

Ken Fairfield wrote:
> On May 19, 8:55 am, hel... at astro.multiCLOTHESvax.de (Phillip Helbig---
> undress to reply) wrote:
>> In article <d949a$4dd4b9cb$82a13c9d$20... at news1.tudelft.nl>, JOUKJ
>>
>> <jo... at hrem.nano.tudelft.nl> writes:
>>> Did you also try with a "just-created" account which was not used for
>>> ssh at all before the test?
>> Not yet.  Maybe I'll have to.  Here is the message I get when trying to
>> get in from outside.  (Contrary to what I mentioned before, OUTGOING
>> access seems OK.)
>>
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> The DSA host key for multivax.de has changed,
>> and the key for the corresponding IP address 217.226.76.212
>> is unchanged. This could either mean that
>> DNS SPOOFING is happening or the IP address for the host
>> and its host key have changed at the same time.
>> Offending key for IP in /home/foobar/.ssh/known_hosts:5
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that the DSA host key has just been changed.
>> The fingerprint for the DSA key sent by the remote host is
>> f1:f2:2f:53:d5:cd:ae:3f:97:90:e5:01:21:33:d4:aa.
>> Please contact your system administrator.
>> Add correct host key in /home/foobar/.ssh/known_hosts to get rid of this
>> message.
>> Offending key in /home/foobar/.ssh/known_hosts:1
>> DSA host key for multivax.de has changed and you have requested strict
>> checking.
>> Host key verification failed.
>>
>> Note that a) I have an IP address which changes usually once a day and
>> b) whatever node has the cluster IP address will respond to the incoming
>> request.  Both the IP address and also the node with the cluster alias
>> have changed in the past.  SSH probably wasn't meant for this sort of
>> setup.  Could the problem be that the IP address and the cluster-alias
>> node changed at the same time?
> 
> When using a cluster alias, you really want all cluster members
> to use the same host key.  Under:
> 
>   HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 3
>   on an hp AlphaServer GS1280 7/1300 running OpenVMS V8.3
> 
> the ssh hostkey is located in TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2],
> where TCPIP$SSH_DEVICE defaults to SYS$SYSDEVICE.
> 
> IIRC, you have several system disks in your cluster.  So you
> really have two choices:
> 
>    1) Reconfigure TCPIP$SSH_DEVICE to point to your
>        cluster-common disk (I don't know if this is supporte
>        of feasible...);
> 
>    2) Choose one "master" node, and copy its HOSTKEY. and
>        HOSTKEY.PUB to the other cluster members'  ssh
>        directories.
> 
> Once the change is made, connecting from your various "outside"
> systems will ask you to confirm the new hostkey (except for the
> node that you copied from).  Just confirm with a "yes" and get
> on with your life. :-)  [I think this is all that's needed; you may
> need to copy the HOSTKEY.PUB to the outside system, but
> I think the SSH protocol will do that for you if you confirm that
> you want to connect.]
> 
>    -Ken
Note that also the information in the linux system should be adapted, 
because you still have the "old" information in the 
/home/footbar/.ssh/knownhosts file. Delete the offending lines from this 
file. The error message above is not generated by your VMS cluster but 
by your linux system, which detects a "wrong" key.
If you do not use your Ip-adresses/names for other systems than the 
cluster (i.e. never ssh a linux system from linux with any of these 
adresses) Ken's solution will work after the modifaction of the 
knownhosts file.