Changes between Version 7 and Version 8 of faq/security/secure-shell


Ignore:
Timestamp:
Jun 24, 2009, 3:45:07 PM (12 years ago)
Author:
anawillem
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • faq/security/secure-shell

    v7 v8  
    3333
    3434There are a [http://www.google.com/search?hl=en&q=linux+command+line+tutorial&btnG=Google+Search number of tutorials on the web]. [http://www.linuxcommand.org linuxcommand.org] seems to be a good one.
     35
     36= I pointed my DNS servers at Mayfirst and can't get in with my domain name...? =
     37
     38Let's say that when you were developing your site, the URL was http://mysite.mayfirst.org.  During development, you would have ssh'd or sftp's into the server with something like:
     39{{{
     40ssh username@mysite.mayfirst.org
     41}}}
     42
     43But then you launched (congratulations!) and when you try to ssh or sftp with the new URL:
     44
     45{{{
     46sftp username@mysite.org
     47}}}
     48
     49...it gives you something that looks like:
     50
     51@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
     52The RSA host key for alternateroots.org has changed, and the key for the according IP address 209.234.253.8 is unknown. This could either mean that DNS SPOOFING is
     53happening or the IP address for the host and its host key have changed at the same time.
     54@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is...
     55
     56Etcetera.
     57
     58== Why is this happening? ==
     59
     60Your ssh client is giving you a warning about this change. It's alerting you to the fact that it is connecting to a different server than the one you last connected to with the very same domain name. This is handy - in case someone was tampering with your DNS in order to trick you into loging into their server that is masquerading as alternateroots.org - ssh is warning you against entering your password or any other sensitive info.
     61
     62Since the fingerprint you are being offered matches our fingerprint for june, it looks like you are safe to continue.
     63
     64If you want the error message to go away, you can type:
     65
     66{{{
     67ssh-keygen -R alternateroots.org
     68}}}
     69
     70That will remove the alternateroots.org line from your ssh known hosts file. Then, re-connect and you should only be prompted to confirm the new fingerprint.
     71You can avoid this situation by always connecting to servers using their canonical name (e.g. june.mayfirst.org). This might be harder, especially if you are managing a lot of sites on different servers, because you have to remember which may first server each of your web sites is on. I find it easier in the long run because then I can easily connect to a server in use prior to a DNS change and the new server without getting confused.