Managing RSA Keys on Linux and OS X
My Web sites have been hosted on Linux since 2002. About a year ago I moved some sites to a Linux virtual private server at Viviotech and have recently created setting up a new Linux server over at Linode. Linode is a Linux virtual server platform powered by Xen (Wikipedia) and was started by a friend (and past co-worker) of mine. If you're in need of Linux hosting I highly recommend Linode!
I began setting up my Linode with CentOS 4 since I was already familiar with it. But after having conversations with Chris at Linode I decided to nuke the CentOS distro and install Ubuntu. After doing this I ran into an issue the first time I attempted to connect to the server using ssh. Here's an example of what I saw when connecting.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
48:71:56:78:93:23:22:ae:5a:35:f8:89:32:ef:64:70.
Please contact your system administrator.
Add correct host key in /Users/aaron/.ssh/known_hosts to get rid of this message.
Offending key in /Users/aaron/.ssh/known_hosts:4
RSA host key for xx.xx.xx.xx has changed and you have requested strict checking.
Host key verification failed.
I wasn't even able to connect to my Ubuntu server and the warning message above (scary as it is) hints at why. In my case, the RSA key stored on my Mac was different from the RSA key sent by my server. RSA is an algorithm for public-key encryption, created in 1977, that involves public and private keys. If you're not afraid of a little math you can follow a working example of RSA encryption/decryption at Wikipedia. When connecting to my Ubuntu server my Mac was attempting to verify I was connecting to the right server by using the server's public RSA key. Since the server's reported public key and the key stored on my computer for the same IP address were different, the ugly error message showed up. This was happening because an RSA fingerprint existed on my Mac from previous connections to the server running CentOS. The new RSA public key for Ubuntu was different.
To resolve this problem and connect to the server again all I had to do was remove all the stored RSA keys on my Mac. To do this, I opened Terminal (Applications / Utilities) and ran the following command. Be sure and replace your username with mine in the command.
Now, I can try and connect to the server again.
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is 48:71:56:78:93:23:22:ae:5a:35:f8:89:32:ef:64:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xx.xx.xx.xx' (RSA) to the list of known hosts.
I'm in! If I were to open another Terminal tab and check for the known_hosts file it would be back.
Suppose you want to verify your server's RSA public key. This is possible using the following command.
2048 48:71:56:78:93:23:22:ae:5a:35:f8:89:32:ef:64:70 /etc/ssh/ssh_host_rsa_key.pub
If for some reason you need to regenerate your server's RSA keys you can accomplish this with two commands (Ubuntu / Debian-based Linux).
dpkg-reconfigure openssh-server
Remember, if the server's RSA public key changes you'll need to remove the known host from the computer you use to connect to the server.
About this post:
This entry was posted by Aaron West on December 7, 2008 at 9:46 AM. It was filed in the following categories: ColdFusion, Linux, Mac. It has been viewed 3001 times and has 0 comments.
