Managing RSA Keys on Linux and OS X

Posted by Aaron West at 9:46 AM in ColdFusion, Linux, Mac

My Web sites have been hosted on Linux since 2002. About a year ago I moved some sites to a Linux virtual private server at Viviotech and have recently created setting up a new Linux server over at Linode. Linode is a Linux virtual server platform powered by Xen (Wikipedia) and was started by a friend (and past co-worker) of mine. If you're in need of Linux hosting I highly recommend Linode!

I began setting up my Linode with CentOS 4 since I was already familiar with it. But after having conversations with Chris at Linode I decided to nuke the CentOS distro and install Ubuntu. After doing this I ran into an issue the first time I attempted to connect to the server using ssh. Here's an example of what I saw when connecting.

ssh root@xx.xx.xx.xx

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /Users/aaron/.ssh/known_hosts to get rid of this message.
Offending key in /Users/aaron/.ssh/known_hosts:4
RSA host key for xx.xx.xx.xx has changed and you have requested strict checking.
Host key verification failed.

I wasn't even able to connect to my Ubuntu server and the warning message above (scary as it is) hints at why. In my case, the RSA key stored on my Mac was different from the RSA key sent by my server. RSA is an algorithm for public-key encryption, created in 1977, that involves public and private keys. If you're not afraid of a little math you can follow a working example of RSA encryption/decryption at Wikipedia. When connecting to my Ubuntu server my Mac was attempting to verify I was connecting to the right server by using the server's public RSA key. Since the server's reported public key and the key stored on my computer for the same IP address were different, the ugly error message showed up. This was happening because an RSA fingerprint existed on my Mac from previous connections to the server running CentOS. The new RSA public key for Ubuntu was different.

To resolve this problem and connect to the server again all I had to do was remove all the stored RSA keys on my Mac. To do this, I opened Terminal (Applications / Utilities) and ran the following command. Be sure and replace your username with mine in the command.

rm /Users/aaron/.ssh/known_hosts

Now, I can try and connect to the server again.

ssh root@xx.xx.xx.xx

The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is 48:71:56:78:93:23:22:ae:5a:35:f8:89:32:ef:64:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xx.xx.xx.xx' (RSA) to the list of known hosts.

I'm in! If I were to open another Terminal tab and check for the known_hosts file it would be back.

ls -l /Users/aaron/.ssh/

Suppose you want to verify your server's RSA public key. This is possible using the following command.

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

2048 48:71:56:78:93:23:22:ae:5a:35:f8:89:32:ef:64:70 /etc/ssh/

If for some reason you need to regenerate your server's RSA keys you can accomplish this with two commands (Ubuntu / Debian-based Linux).

rm /etc/ssh/ssh_host_*

dpkg-reconfigure openssh-server

Remember, if the server's RSA public key changes you'll need to remove the known host from the computer you use to connect to the server.

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on December 7, 2008 at 9:46 AM. It was filed in the following categories: ColdFusion, Linux, Mac. It has been viewed 16184 times and has 3 comments.

3 Responses to Managing RSA Keys on Linux and OS X

  1. Hey Aaron, thanks for this tip - just ran into it. However, I have many RSA known hosts in my known_host file so i didn't want to rm the entire file. Rather, it is simple enough to do the following:
    $ nano /Users/[username]/.ssh/known_hosts

    Notice in the error message you received - "Offending key in /Users/aaron/.ssh/known_hosts:4" which indicates the bad key is on line 4. Double check the ip or domain in that line to ensure that it is the key for your remote server. Place cursor on that line and press ^K to delete the entire line. ^O to write the file. <enter>. ^X to exit.

    At this point you can re-establish your ssh connection with remote server.



  2. Doug, thanks for the comment. In addition to your solution I also recommend folks simply look for their servers IP address in the known_hosts file. If you want to be doubly sure you don't delete the wrong entry, match the IP address listed in the warning message with the IP address listed in the file. Then delete that line, save, and close.

  3. Thanks for your article, it resolve my problem.

    A simple rm or move of the file to regenerate my file.

    Thanks again.