SRX

Expand all | Collapse all

log in -- Host key verification failed

  • 1.  log in -- Host key verification failed

    Posted 12-17-2019 08:47

    Hi,

     

    We have obseved below log messages on SRX210 as well SRX300 while i am trying to authenticate. I could not log in the firewall.

    Please suggest, how to fix it.

     

     

    user@fw> ssh 10.21.8.100
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ED25519 key sent by the remote host is
    SHA256:xXA7F58CP343PY8KuG/Ingdw0JKLGkpvUtfLJeiMGf4.
    Please contact your system administrator.
    Add correct host key in /var/home/radius-admingroup-template-user/.ssh/known_hosts to get rid of this message.
    Offending ED25519 key in /var/home/radius-admingroup-template-user/.ssh/known_hosts:3
    ED25519 host key for 10.21.8.100 has changed and you have requested strict checking.
    Host key verification failed.

     

    Regards,

    Nik


    #SRX


  • 2.  RE: log in -- Host key verification failed

    Posted 12-17-2019 18:31

    Hello,

     

    You need to edit file /var/home/radius-admingroup-template-user/.ssh/known_hosts, as the prompt says, and delete line which contains "10.21.8.100" 

    Here is the procedure in shell, assuming You have privileges to edit this file:

    1/ vi  /var/home/radius-admingroup-template-user/.ssh/known_hosts 

    2/ look for 10.21.8.100

    3/ delete the line containing 10.21.8.100

    4/ save the file and exit vi editor

    5/ repeat ssh attempt and accept the new key.

    But You should be investigating the root cause first - why the SSH key changed? While this could happen after upgrade, or booting from alternate partition containing older/newer JUNOS version, the more sinister root causes such as someone remotely took over Your internet-exposed FW and implanted own backdoored firmware cannot be ruled out nowadays.

    HTH

    Thx

    Alex



  • 3.  RE: log in -- Host key verification failed

    Posted 12-18-2019 05:19

    Hi Alex,

     

    AS i checked, their is no. .ssh/known_host exist.

     

    ser@fw% cd /var/home/radius-admingroup-template-user/
    user@fw% ls -la
    total 8
    drwxr-xr-x 2 radius-admingroup-template-user 20 512 Dec 11 14:41 .
    drwxr-xr-x 5 root wheel 512 Dec 11 14:41 ..
    user@fw% pwd
    /cf/var/home/radius-admingroup-template-user
    user@fw%

     

    Regards,

    Nik



  • 4.  RE: log in -- Host key verification failed

     
    Posted 12-18-2019 07:22

    While you are trying to figure out how to update the new host key on your system you can use telnet to login to the device.

     

    Updating host key depend on what kind of setup you are using to access the device (unix, mac, putty, secure crt)

     

    It might be possible that you don't have admin credential to update the ssh host key on your system.

     

    Please refer following link for different options that you have:


    https://help.dreamhost.com/hc/en-us/articles/217239087-Updating-host-keys

    PS: Please accept my response as solution if it asnwers your query, kuods are appreciated too!

    Thanks

    Vishal



  • 5.  RE: log in -- Host key verification failed

    Posted 12-18-2019 23:53

    Hello,

     


    @Target wrote:

    Hi Alex,

     

    AS i checked, their is no. .ssh/known_host exist.

     

    ser@fw% cd /var/home/radius-admingroup-template-user/
    user@fw% ls -la
    total 8
    drwxr-xr-x 2 radius-admingroup-template-user 20 512 Dec 11 14:41 .
    drwxr-xr-x 5 root wheel 512 Dec 11 14:41 ..
    user@fw% pwd
    /cf/var/home/radius-admingroup-template-user
    user@fw%

     


     

    Interesting. Have You checked under actual user directory - it would be /var/home/user/.ssh/known_hosts ?

    Other option You have is to use ssh from Freebsd shell with -o knob , either:

     

    ssh -o UserKnownHostsFile=/dev/null 10.21.8.100

    or

    ssh -o StrictHostKeyChecking=no 10.21.8.100

    Neither option replaces the stored key for 10.21.8.100, You have to find out where it comes from.

    HTH

    Thx

    Alex