| | 35 | |
| | 36 | = I pointed my DNS servers at Mayfirst and can't get in with my domain name...? = |
| | 37 | |
| | 38 | Let's say that when you were developing your site, the URL was http://mysite.mayfirst.org. During development, you would have ssh'd or sftp's into the server with something like: |
| | 39 | {{{ |
| | 40 | ssh username@mysite.mayfirst.org |
| | 41 | }}} |
| | 42 | |
| | 43 | But then you launched (congratulations!) and when you try to ssh or sftp with the new URL: |
| | 44 | |
| | 45 | {{{ |
| | 46 | sftp username@mysite.org |
| | 47 | }}} |
| | 48 | |
| | 49 | ...it gives you something that looks like: |
| | 50 | |
| | 51 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
| | 52 | The RSA host key for alternateroots.org has changed, and the key for the according IP address 209.234.253.8 is unknown. This could either mean that DNS SPOOFING is |
| | 53 | happening or the IP address for the host and its host key have changed at the same time. |
| | 54 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is... |
| | 55 | |
| | 56 | Etcetera. |
| | 57 | |
| | 58 | == Why is this happening? == |
| | 59 | |
| | 60 | Your ssh client is giving you a warning about this change. It's alerting you to the fact that it is connecting to a different server than the one you last connected to with the very same domain name. This is handy - in case someone was tampering with your DNS in order to trick you into loging into their server that is masquerading as alternateroots.org - ssh is warning you against entering your password or any other sensitive info. |
| | 61 | |
| | 62 | Since the fingerprint you are being offered matches our fingerprint for june, it looks like you are safe to continue. |
| | 63 | |
| | 64 | If you want the error message to go away, you can type: |
| | 65 | |
| | 66 | {{{ |
| | 67 | ssh-keygen -R alternateroots.org |
| | 68 | }}} |
| | 69 | |
| | 70 | That will remove the alternateroots.org line from your ssh known hosts file. Then, re-connect and you should only be prompted to confirm the new fingerprint. |
| | 71 | You can avoid this situation by always connecting to servers using their canonical name (e.g. june.mayfirst.org). This might be harder, especially if you are managing a lot of sites on different servers, because you have to remember which may first server each of your web sites is on. I find it easier in the long run because then I can easily connect to a server in use prior to a DNS change and the new server without getting confused. |
