Rants of a madman » script for fixing ssh’s “remote host identification changed”
Jan
4

I run DHCP at home. Having a crappy linksys router, every time i reboot it, all DHCP leases are lost. As a consequence all SSH servers on my home net gives me this error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
de:ad:be:ef:ff:59:fe:1b:39:55:fe:e5:ac:6b:13:fe.
Please contact your system administrator.
Add correct host key in /home/dan/.ssh/known_hosts to get rid of this message.
Offending key in /home/dan/.ssh/known_hosts:39
RSA host key for 192.168.1.51 has changed and you have requested strict checking.
Host key verification failed.

Finally i got fed up with manually editing my known_hosts file and deleting the conflicting line every time. I started by googling to see what others were doing, but it appears that people just edit the file like me. So i hacked up a shell script to do it for me.

EDIT: Actually, the correct way of doing this (and easy way) is simply “ssh-keygen -R”. I kept this script online anyway, because the new regex support in bash is pretty cool and this script serves as a great example.

ssh_keyclean.sh:

#!/bin/bash
DATA="`ssh $1 echo 2>&1|grep known_hosts:`"

if [[ "$DATA" =~ ([^ ]+):([0-9]+) ]]
then
        echo "SSH KeyCleaner v. 0.1";
        echo -n "Delete key from line"
        echo -n " ${BASH_REMATCH[2]} in"
        echo -n " ${BASH_REMATCH[1]}? "
        read -n1 -p"(y/n) : " A
        echo
        if [ "$A" == "y" ]
        then
                sed -i " ${BASH_REMATCH[2]}d"  ${BASH_REMATCH[1]}
                echo "Cleaning"
        fi;
else
        echo "Bad output from ssh command. Sorry.";
fi;

Copy and paste this into a file, ie. /usr/bin/ssh_keyclean.sh (and remember to use an editor that keeps the backquotes .”joe” doesnt) then “chmod +x /usr/bin/ssh_keyclean.sh”

Whenever you get the message that the key has changed, all you have to do is type:

$ ssh_keyclean.sh <ip_address>

eg.

$ ssh_keyclean.sh 192.168.1.51

How it works:

It runs the ssh command, grepping the line containing “known_hosts:”. It then uses bash’s new built-in regex support to extract 2 vars: The filename and the linenumber. Lastly it prompts you if youre sure, and if you are, it uses “sed” to delete the linenumber reported by ssh in the ~/.ssh/known_hosts file.

Requirements:

  • Bash shell v. 3+

Tested on Ubuntu Linux. Should work on all Linux distro releases newer than ~2 years i guess.

Let me know if you find it useful.



  - Dan

Comments

  1. Matey Said,

    Thanks to Amos Shapira for this link.
    I am new to Linux and would like to know how I could make my server (running Debian/Ubuntu 7.05) Accept SSH from my other servers?
    I made a tun0 NIC and gave it a 10.0.1.110 address but I cannot ssh to it nor can I ssh to it using the eth0′s address?

    I would like to learn how I could make my backups transfer from other server to my box via SSH? I already have the script that does that but I don’t know how it would work if there is No passwords mentioned in that script? (The guy before me had it transfered to another box which no longer exists/dead IP address??)

    As for now the backup script gets stuck in transferring the data to my machine and cause a little headache (bcs the cron jobs fall on each other every day and pile up)!

    I appreciate any info or links.

    Thank You!

  2. Matey Said,

    oops I mean 7.04.
    Oh and when I go to another machine and I ssh to mine, I get a blinking cursor and have to ^c out of it? (basically no response and asks for no passwd or does not give any errors)?!
    So is there a daemon besides sshd and ssh-agent that I should be running?
    Thanks!

  3. Dan Said,

    Hi Matey.
    First let me say, this is just a personal blog and not a support forum, so pardon me if this reply isn’t all that detailed.
    Nevertheless here are some pointers for you.

    Some versions of Ubuntu have something called GSSAPI enabled in /etc/ssh/sshd_config. It can severely slow down the time a connect takes. (i mean several minutes in fact)
    Try and edit that file, locate the two lines beginning with GSSAPI and comment them out.
    Thats my guess to whats wrong, since its a very common problem.

    Regarding password-less login via SSH, what you must use is called “ssh-keys”. You specifically generate a “key-pair” on the client machine and upload the “public key” to the server.
    A full guide can be found here:
    http://www.sshkeychain.org/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html
    (Scroll down to the section called: “4.3 Protocol version 2 key generation”)
    Once setup correctly, you can simply connect via ssh without entering a password.

    Hope this helps you.

  4. helpdeskdan Said,

    Great, a script to do it – exactly what I was looking for, thanks!

    Also, you should look up disabling dns to speed up ssh .

    http://www.openssh.com/faq.html#3.3

  5. maltje Said,

    How do I use this in osx?

    kind regards

Add A Comment

REFRESH THIS PAGE TO POST COMMENTS!