What is host key in linux

3 ways to fix Host key verification failed in ssh

If you’ve ever tried to connect to a remote server using ssh, and received an error message that says “Host key verification failed,” you know how frustrating it can be. This article will show you three ways to fix the problem.

What is a Host Key in SSH?

A Host key is a unique identifier that is used to verify the identity of a remote host. When you connect to a remote host, the Host key is verified against a list of known Host keys. If there is a match, the connection will be allowed to proceed. If there is not a match, the connection will be denied.

The Host key is also used to generate a cryptographic signature for each connection. This signature is used to verify the integrity of the data that is transferred between the client and server.

Understanding error message Host key verification failed

If you receive the error message “Host key verification failed”, it means that the key stored for the host you’re trying to connect to has changed. It is often caused by connecting to a different server than the one you originally connected to (for example, your server has been rebuilt by a new one).

Whenever we connect to a server via SSH, that server’s public key is stored in our home directory. The file is called known_hosts.

This file is local to the user account and contains the known keys for remote hosts. These are collected from the hosts when connecting for the first time.

As with those keys stored in the file, ~/.ssh/known_hosts, these keys are used to verify the identity of the remote host, thus protecting against impersonation or man-in-the-middle attacks.

When we reconnect to the same server, the SSH connection will verify the current public key matches the one we have saved in our known_hosts file. If there is a match, the connection will proceed. If the match fails, ssh will fail with an error message Host key verification failed happens.

Example of Host key verification failed

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is x. Please contact your system administrator.
Add correct host key in /home/ec2-user/.ssh/known_hosts to get rid of this message.

Offending RSA key in /home/ec2-user.ssh/known_hosts:222 RSA host key for www.howtouselinux.com has changed and you have requested strict checking.Host key verification failed.

Methods to fix problem of Host key verification failed

Host key verification failed error occurs when the server’s host key does not match the key that was expected. This can happen when the server’s key has been changed, or when the key has been compromised.

Here are three ways to fix this Host key verification failed error.

• Manually edit the “~/.ssh/known_hosts” file and remove the old key for the host you’re trying to connect to. This will allow you to connect to the new server without any problems.
• Use the “ssh-keygen -R” command to remove the old key from your “~/.ssh/known_hosts” file. This will allow you to connect to the new server without any problems.
• Use the “-o StrictHostKeyChecking=no” option when connecting to the server. This will prevent ssh from checking the “~/.ssh/known_hosts” file, and will allow you to connect to the new server without any problems.

Remove old host key info from known_hosts file

The easiest way to fix the problem of Host key verification failed is removing the old host key info and reconnect the server.

We can fix this issue with the following steps.

• Locate our known_hosts file
• open in a general text editor with vi /home/user/.ssh/known_hosts
• search the old host name and press “ESC dd” to delete the line.
• save the changes by pressing “esc” and typing “:wq!”.
• reconnect the server

Remove old host key info with ssh-keygen command

We can also remove the old host key with ssh-keygen command.

Open up a terminal session, and type one of the following

• ssh-keygen -R hostname
• ssh-keygen -R ipaddress
• ssh-keygen -f “/home/ec2-user.ssh/known_hosts” -R “192.168.0.106”

Disable SSH stricthostkeychecking option

The stricthostkeychecking option in SSH is a security feature that verifies the host key information for each connection.

If there is a problem with the host key information, the connection will not be allowed to proceed. This option can be disabled, which will allow the connection to proceed even if there is a problem with the host key information.

• Open up a terminal window.
• Type in the following command: ssh -o StrictHostKeyChecking=no hostname

This command removes the old host key for the device in the known_hosts file and replaces old host key with the new host key.

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

howtouselinux.com is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative.

Источник

Linux Generating Host Keys for SSH

The SSH host key of your remote Linux/Solaris server is lost, is corrupted, or was not generated when the SSH packages were installed or during the first run.

To generate a new SSH host key.

How to

To generate a new SSH host key of the Linux/Solaris server, log on as root and run the ssh-keygen command with the -t option, which indicates the type of key to be generated.

You must provide the -f option, followed by the file name of the key file.

If you omit the -f option, it will create the public key for the OS account root instead of the SSH host key on the Linux/Solaris server.

The following example generates the SSH host key for the RSA type.

If the files of the SSH host keys already exist, you are asked whether you want to overwrite them.

Next, you are asked to provide the passphrase:

root@SERVER02:~# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key Generating public/private rsa key pair. /etc/ssh/ssh_host_rsa_key already exists. Overwrite (yes/no)? yes Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh/ssh_host_rsa_key. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub. The key fingerprint is: 03:bc:53:71:ff:d2:c8:f5:2c:2e:6d:01:3d:3d:1a:66 root@SERVER02

To generate the SSH host key for the DSA type, run the following command:

root@SERVER02:~# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key Generating public/private dsa key pair. /etc/ssh/ssh_host_dsa_key already exists. Overwrite (yes/no)? yes Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh/ssh_host_dsa_key. Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub. The key fingerprint is: 03:bc:53:71:ff:d2:c8:f5:2c:2e:6d:01:3d:3d:1a:66 root@SERVER02

— Note For security reasons, we recommend that you supply a passphrase when creating the SSh host key.

this prevents non-root users from peeking on the SSh host key by running ssh-keygen with the -y option (discussed in detail in the next section).

Note

The SSH host key is like a master key that encrypts and decrypts the data that traverses between the remote Linux/Solaris server and the client computer from which you want to initiate the SSH connection.

This secures your connection to the remote Linux/Solaris server and eliminates vulnerability to man-in-the-middle attacks.

The valid values for the SSH host key are rsa1, rsa, and dsa.

rsa1 refers to RSA of SSH version 1 (SSHv1); rsa and dsa are for SSH version 2 (SSHv2).

— Note if your linux/Solaris server supports only SShv2, set the value of the parameter Protocol to 2 in /etc/ssh/sshd_config.

To create the RSA host key, run ssh-keygen with the -t rsa option, which creates two files: /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_rsa_key.pub.

For the DSA host key, run -keygen with the -t dsa option, which creates /etc/ssh/ssh_host_dsa_key and /etc/ ssh/ssh_host_dsa_key.pub.

Both ssh_host_rsa_key and ssh_host_dsa_key contain the private and public key, whereas ssh_host_rsa_key.pub and ssh_host_dsa_key.pub contain only the public key.

The public key is used to encrypt the data; the private key is used to decrypt the data.

The first time you log on to the remote Linux/Solaris server, which is the computer you are connecting to via SSH, you are prompted to confirm the server’s SSH host key fingerprint, as shown here.

If you accept it, the file $HOME/.ssh/known_hosts is created on the local Linux/Solaris server, which is the computer from which you initiated the SSH connection.

$HOME/.ssh/known_hosts contains the server’s SSH host key.

oracle@BLSOL01:~$ ssh SERVER02 The authenticity of host 'server02 (192.168.2.42)' can't be established. RSA key fingerprint is 03:bc:53:70:ff:d2:c8:f5:2d:2e:6d:07:3d:3d:1a:66. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'server02,192.168.2.42' (RSA) to the list of known hosts. Password: Last login: Thu Aug 20 23:59:50 2022 from ol6-121-rac1 Oracle Corporation SunOS 5.11 11.2 June 2014 oracle@SERVER02:~$

To determine the SSH key fingerprint on the remote Linux/Solaris server, run the ssh-keygen command with the -l option, as shown here.

It verifies whether you have the correct SSH host key fingerprint of the remote Linux/Solaris server that you want to connect via SSH.

root@SERVER02:~# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 ee:0d:88:61:1a:27:20:2e:69:27:7b:bc:70:de:a2:5c /etc/ssh/ssh_host_dsa_key.pub root@SERVER02:~# root@SERVER02:~# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 03:bc:53:70:ff:d2:c8:f5:2d:2e:6d:07:3d:3d:1a:66 /etc/ssh/ssh_host_rsa_key.pub

Meanwhile, to determine the SSH host key on the remote Linux/Solaris server, run the ssh-keygen command with the -y option, as shown here.

For security reasons, you can be asked to provide the passphrase that you supplied when creating the SSH host key.

root@SERVER02:~# ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key ssh-dss AAAAB3NzaC1kc3MAAACBAJ2G5jV/4MHg9dG4DNb13Wrh94kbN5yUDQeW5SOP0JCzCQVpS2BnsV53L6CUQUPiNilXC . root@SERVER02:~# root@SERVER02:~# ssh-keygen -y -f /etc/ssh/ssh_host_rsa_key ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAs/WovKxUpZw8T03HoH4dOlYGLzQ9bbfqayRd8Me33odUzKc8loUhOAdc .

On your local client computer, run the tail command, as shown here.

Check the SSH host key, which comprises the characters after ssh-rsa or ssh-dsa, and compare them against the results of the ssh-keygen -y option.

oracle@BLSOL01:~$ tail -1 $HOME/.ssh/known_hosts server02,192.168.2.42 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAs/WovKxUpZw8T03HoH4dOlYGLzQ9bbfqay .

However, when the remote Linux/Solaris server has a duplicate hostname or IP address, you will see the following error messages the next time you log on:

[root@ol6-121-rac1 ~]# ssh oracle@BLSOL01 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the DSA host key has just been changed. The fingerprint for the DSA key sent by the remote host is 8d:fa:39:1e:36:a7:6a:b1:87:ea:63:1a:c0:84:4a:3d. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:6 DSA host key for blsol01 has changed and you have requested strict checking. Host key verification failed.

To resolve this problem, you can rename $HOME/.ssh/known_hosts, but this is not advisable because you will lose the reference of the SSH host keys of the other servers.

Another workaround is to edit $HOME/.ssh/known_hosts and remove the entry that corresponds to the hostname or IP address and type of SSH host key of the remote Linux/Solaris server that you want to connect via SSH.

Before you edit $HOME/.ssh/known_hosts, we recommend that you make another copy of the file.

Related

• Linux Checking RPM Requirements to Install Oracle Database
• Linux Performing Initial Silent Oracle Software Installation with Response Files
• Linux Setting Up SSH
• Linux Generating Host Keys for SSH
• Linux Logging On Securely using SSH
• Linux SSH connect to the remote Linux/Solaris server from another UNIX/Linux computer
• Linux SSH using a different username

demo2s.com | Email: | Demo Source and Support. All rights reserved.

Источник