-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
[ Followup-To comp.security.ssh ]
In comp.os.linux.networking Nils Gorges <(E-Mail Removed)> suggested:
> Hello NG,
> i will ask you for your opinion for the follow situation since i cannot
> judge it myself.
> While connecting by using ssh to my server the server welcomed me with
> this message:
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
That's your ssh client that makes the message.
> I definitly changed nothing at the server and client configuration. I
> didn't change any host key and i never got that message before.
> All logs and status informations seems to be ok, the only thing is,
> message log shows, that the server was restarted 2 times last night.
> First time at 2 a.m., second time at 6 a.m and it is located in a
> computer center with USV.
Investigate why, logrotate from cron might be a reason, but not
twice.
> So what do you think? Does this indicate a successful intrusion or is it
> vice versa and the host key warning comes because the server restarted
> for some reasons?
The server key won't change if the server is restarted, never.
Double check the version of sshd (OpenSSH_3.9p1 is the latest),
and any other package version for known security problems. Sounds
suspicious, something has changed, your ~/.ssh/known_hosts, your
system wide known_hosts if any or the server key has been
exchanged.
--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo
(E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBR2r6AkPEju3Se5QRAh6/AJ41vEi3QzOOjHG4r4PNkoQyOYqSGACfa1QO
Phr545WtQEPl7vrbolsuEDI=
=nBUk
-----END PGP SIGNATURE-----
Similar Threads
Linear Mode
