Ask Your Question
1

Error while connecting to Fedora People through SSH

asked 2014-01-11 11:14:48 -0500

I already uploaded my RSA public key, but it prints out this:

eduardo@localhost ~$ ssh mayorga@fedoraproject.org

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for fedoraproject.org has changed,
and the key for the corresponding IP address 67.203.2.67
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d9:a0:74:a3:61:6e:b4:de:ad:27:73:0b:c3:5d:ce:75.
Please contact your system administrator.
Add correct host key in /home/eduardo/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/eduardo/.ssh/known_hosts:4
RSA host key for fedoraproject.org has changed and you have requested strict checking.
Host key verification failed.

Why does this happen?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
3

answered 2014-01-11 20:10:44 -0500

updated 2014-01-11 20:14:08 -0500

A couple possibilities here:

  1. Your DNS resolver is compromised, and you are being referred to a site that is not fedoraproject.org .
  2. Your known hosts file has changed (or been compromised!) and server signatures do not match.
  3. The IP address or domain name of the server has changed, so the records in your ~/.ssh/known_hosts do not match.
  4. The host key of the server has changed. This could be from a reinstall, or because more than one server handles traffic for a given domain.

In this situation, you are trying to connect to fedoraproject.org . Without a subdomain, your DNS request is probably going to be resolved to one of many caching proxies, by design. To get around the message, you could disable strict checking for this host in ~/.ssh/config. Alternatively, be more specific about the host you are trying to reach. Don't confuse fedorapeople.org with fedoraproject.org.

To compare fingerprints, you can use ssh-geygen -l -F fedoraproject.org to list the fingerprint of the key in ~/.ssh/known-hosts and compare to the one SSH reports when you try to connect. If the fingerprints match, you can be more confident that you are reaching the same machine at a different IP.

edit flag offensive delete link more

Comments

1

Shouldn't he be trying to ssh into fedorapeople? I wasn't aware that we could ssh into fedoraproject.org.

FranciscoD_ gravatar imageFranciscoD_ ( 2014-01-12 02:45:35 -0500 )edit

@FranciscoD_ Yes, that is the conclusion I was hoping he would reach after reading my answer.

randomuser gravatar imagerandomuser ( 2014-01-12 11:59:27 -0500 )edit

@randomuser silly me! I was trying to connect using the wrong domain. Thanks anyway.

mayorga gravatar imagemayorga ( 2014-01-13 12:09:43 -0500 )edit

What to do about that message is still a good question, @mayorga :)

randomuser gravatar imagerandomuser ( 2014-01-16 00:35:24 -0500 )edit

Thanks, I forgot that fedorapeople.org and fedoraproject are different.

alyaj2a gravatar imagealyaj2a ( 2017-03-12 23:50:50 -0500 )edit
1

answered 2014-01-11 11:37:57 -0500

Marc lml gravatar image

The key for fedoraproject.org is stored in ~/.ssh/known_hosts as a security feature to prevent DNS spoofing. Because the IP-address changed this key is no longer valid. You can edit ~/.ssh/known_hosts and remove the rule for fedoraproject.org. With the first connection you will be asked if you trust this connection and it will automatically be added again.

edit flag offensive delete link more

Comments

Deleting the known_hosts entry is probably fine for a LAN, but you should verify that you aren't actually compromised. We are shown these warnings for a reason.

randomuser gravatar imagerandomuser ( 2014-01-11 20:13:03 -0500 )edit

Question Tools

Stats

Asked: 2014-01-11 11:14:48 -0500

Seen: 789 times

Last updated: Jan 11 '14