| 35 | |
| 36 | = I pointed my DNS servers at Mayfirst and can't get in with my domain name...? = |
| 37 | |
| 38 | Let's say that when you were developing your site, the URL was http://mysite.mayfirst.org. During development, you would have ssh'd or sftp's into the server with something like: |
| 39 | {{{ |
| 40 | ssh username@mysite.mayfirst.org |
| 41 | }}} |
| 42 | |
| 43 | But then you launched (congratulations!) and when you try to ssh or sftp with the new URL: |
| 44 | |
| 45 | {{{ |
| 46 | sftp username@mysite.org |
| 47 | }}} |
| 48 | |
| 49 | ...it gives you something that looks like: |
| 50 | |
| 51 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
| 52 | The RSA host key for alternateroots.org has changed, and the key for the according IP address 209.234.253.8 is unknown. This could either mean that DNS SPOOFING is |
| 53 | happening or the IP address for the host and its host key have changed at the same time. |
| 54 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is... |
| 55 | |
| 56 | Etcetera. |
| 57 | |
| 58 | == Why is this happening? == |
| 59 | |
| 60 | Your ssh client is giving you a warning about this change. It's alerting you to the fact that it is connecting to a different server than the one you last connected to with the very same domain name. This is handy - in case someone was tampering with your DNS in order to trick you into loging into their server that is masquerading as alternateroots.org - ssh is warning you against entering your password or any other sensitive info. |
| 61 | |
| 62 | Since the fingerprint you are being offered matches our fingerprint for june, it looks like you are safe to continue. |
| 63 | |
| 64 | If you want the error message to go away, you can type: |
| 65 | |
| 66 | {{{ |
| 67 | ssh-keygen -R alternateroots.org |
| 68 | }}} |
| 69 | |
| 70 | That will remove the alternateroots.org line from your ssh known hosts file. Then, re-connect and you should only be prompted to confirm the new fingerprint. |
| 71 | You can avoid this situation by always connecting to servers using their canonical name (e.g. june.mayfirst.org). This might be harder, especially if you are managing a lot of sites on different servers, because you have to remember which may first server each of your web sites is on. I find it easier in the long run because then I can easily connect to a server in use prior to a DNS change and the new server without getting confused. |