Changes between Version 7 and Version 8 of faq/security/secure-shell

Jun 24, 2009, 3:45:07 PM (12 years ago)



  • faq/security/secure-shell

    v7 v8  
    3434There are a [ number of tutorials on the web]. [] seems to be a good one.
     36= I pointed my DNS servers at Mayfirst and can't get in with my domain name...? =
     38Let's say that when you were developing your site, the URL was  During development, you would have ssh'd or sftp's into the server with something like:
     43But then you launched (congratulations!) and when you try to ssh or sftp with the new URL:
     48 gives you something that looks like:
     51@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
     52The RSA host key for has changed, and the key for the according IP address is unknown. This could either mean that DNS SPOOFING is
     53happening or the IP address for the host and its host key have changed at the same time.
     54@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is...
     58== Why is this happening? ==
     60Your ssh client is giving you a warning about this change. It's alerting you to the fact that it is connecting to a different server than the one you last connected to with the very same domain name. This is handy - in case someone was tampering with your DNS in order to trick you into loging into their server that is masquerading as - ssh is warning you against entering your password or any other sensitive info.
     62Since the fingerprint you are being offered matches our fingerprint for june, it looks like you are safe to continue.
     64If you want the error message to go away, you can type:
     67ssh-keygen -R
     70That will remove the line from your ssh known hosts file. Then, re-connect and you should only be prompted to confirm the new fingerprint.
     71You can avoid this situation by always connecting to servers using their canonical name (e.g. This might be harder, especially if you are managing a lot of sites on different servers, because you have to remember which may first server each of your web sites is on. I find it easier in the long run because then I can easily connect to a server in use prior to a DNS change and the new server without getting confused.