Thursday, November 20, 2014

Pesky SSH KnownHosts file (WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!)

I posted earlier in the year about SSH reverse tunneling.

At my new job, I haven't had as many issues in that department but I do re-image servers quite a bit and then need to SSH back into the machine and get those pesky errors informing me there might be a man-in-the-middle attack. Well, this is an internal firewalled server, so that's extremely unlikely.

When this happened I started off by runing ssh-keygen -R[hostname|IP address]

and that worked well, but if you by chance have more than one known_hosts file under your .ssh it might not work.

When that became a little more tedious I tried just deleting the known_hosts* file(s) under .ssh. That worked too, but it's a little too much for the task at hand. Kinda like taking a sledgehammer to a small problem.

I ultimately decided that I wanted something a little less severe that would tackle the short-term problem. The best solution is to pass command line arguments when you SSH.

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@[hostname|IP address]

I found a few sites that mentioned this but, it was Linux Commando who provided good detail. Thanks.

Since I was also doing SSH scripting with Perl, I though I would add a step to my script to wait for the SSH daemon to start after a re-image/reboot.

Here's the code, and it was a little more difficult to get to work since I don't work with Perl as regularly (although more recently) and the Net::SSH::Perl documentation could offer a few more examples of how to setup the options.

Here's the code :

eval
                {
                        my %params;
                        $params{"strict_host_key_checking"} = "no";
                        $ssh = Net::SSH::Perl->new($passedHost, %params, options => ["UserKnownHostsFile /dev/null"] );
                        $ssh->login($user, $pass, %params);
                };
                if ($@) {
                warn "Cannot SSH yet. Here's the error message below:\n$@Waiting 30 seconds for SSH daemon to come up.\n";
                }
                sleep 30;