Crying wolf with ssh

By Jason McIntosh on August 4, 2008 10:09 PM | | Comments (3)

Anyone who has used Unix more than a little has probably seen this message. I estimate I've seen it, oh, maybe as many as one hundred times in my career so far.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.


It appears when you try to use the ssh command, which opens a secure login session with a remote Unix machine, but your own computer detects that something about the target machine's identity changed between the last time you connected to it and now.

In my experience, every single time this has happened, it's because the remote machine changed its IP address for one reason or another. That's not something that normally happens often to an individual machine, but when your normal daily routine involves connecting to an ever-changing variety of computers
via ssh, it's not an entirely rare phenomenon, either. So, I end up seeing this message once a month or more.

Its all-caps, exclamation-point-studded text is clearly meant to convey alarm and urge immediate wariness, but after you've seen it a handful of times, all that stuff is completely invisible. When I see it now, I think: Oh, has this machine's IP changed? Yes, I suppose it has. OK. It's good that I think that, but it has rather little to do with the words on the screen.

More valuable is the fact that ssh will refuse to create the connection until you edit a file containing the target machine's public key. (Typically, you just blow away the old key and let ssh generate a fresh one for the target machine's new identity.) This is correct behavior, and forces the user to think about what they're doing. I just wish that its programmers (or, today, its maintainers) chose a warning message that looks less like screaming paranoia that users will start to ignore the third time they see it, and more like rational admonition requiring a prudent safeguard. Hey, something changed. As a security precaution, I'm not letting you make this connection until you edit your .ssh/known_hosts file. You should only do this if you know why the target machine changed its identity. If you're not sure about this, consult your system administrator. That's all.

Tags:

3 Comments

Manuel Stiff said:

Incredibly helpful details shared..Iam incredibly delighted to via this article..many thanks for giving us great details.Amazing walk-through. I get pleasure from this post.

July 24, 2010 10:24 AM
Liana Yongue said:

I can admit, that out of all time I've spent online, examining blogs, forums, I’ve never read one as to the point and well crafted as this one, I do not often comment on information sites nevertheless in your case I felt the need to make an exception, it's honestly class work and certainly opposite to the drivel, which i spend a lot of my time on the web, reading. Many thanks for finding the time and expending your energy to supply your readers with a first class review. I count on reading a lot more of your work, once more thanks. Jane

July 25, 2010 3:36 PM
Keira Hambright said:

Being a inexperienced blogger myself personally, it is always important to read a good quality blogger on a regular basis. I hope to master a lot from analyzing other individuals web logs and I feel that the one you have has plenty to provide the person who reads, thank you for taking the time and making the effort. Diane

July 28, 2010 5:05 PM

Leave a comment