[Tyler McAdams]

Strict checking is not allowing me to connect to a linux box (I reinstalled) What can I do to reset this option on ssh?

[OreoCookie]

Open the terminal, go to the ~/.ssh/ directory and delete the hosts file.

[utidjian]

Originally posted by Tyler McAdams:
Strict checking is not allowing me to connect to a linux box (I reinstalled) What can I do to reset this option on ssh?

I assume you are getting a 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!' message, yes?

If so then, as the rest of that error message explains, you will need to edit your ~/.ssh/known_hosts file on the Mac OS X machine. The simplest solution is just to delete the entry for that host from your known_hosts file. The error message tells you which line number to delete. As an example:

Code:
iwhiz:~ utidjian$ ssh 204.XXX.YYY.ZZZ
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
1e:68:c6:ab:fb:68:35:af:be:2b:d9:8g:c5:e4:e5:9d.
Please contact your system administrator.
Add correct host key in /Users/utidjian/.ssh/known_hosts to get rid of this message.
Offending key in /Users/utidjian/.ssh/known_hosts:29
RSA host key for 204.XXX.YYY.ZZZ has changed and you have requested strict checking.
Host key verification failed.

The relevant line here is 'Offending key in /Users/utidjian/.ssh/known_hosts:29'. The line number is '29'. To delete the line:

vi +29 ~/.ssh/known_hosts

then type dd
then type :wq

You should then be able to connect via ssh to your Linux box. It will ask you once again if you want to accept the host key.

This will happen every time the host key for that particular IP changes. The host key will change whenever you re-install (new keys are generated) or if the IP address changes (via DHCP or whatever) but the host key remains the same. In either case ssh will complain. This is a Good Thing(TM) because it helps to prevent man-in-the-middle and trojan horse attacks on ssh.

The reasons I suggest using vi are several... The .ssh/known_hosts file has lines that are approx 250 characters long! this makes it awkward to find the particular line you want to edit. The layout of the file is also very important and other text editors may not save the file correctly. Also vi is, for all practical purposes, universally available on Unix... so it will work anywhere.

For more information on this see man ssh and man ssh_config and man vi.

All of this can be a hassle if the systems you ssh to change their IP address or FQDN often. The host key component of ssh is a key part (no pun intended) of the security of ssh so, please, do not be tempted to change the default 'StrictHostKeyChecking ask' to 'StrictHostKeyChecking no' in /etc/ssh_config or in ~/.ssh/ssh_config.

[utidjian]

Originally posted by OreoCookie:
Open the terminal, go to the ~/.ssh/ directory and delete the hosts file.

I disagree with that solution. It is certainly quick and easy but it also destroys the value of the warning message when the host keys do not match. I have 78 entries in my .ssh/known_hosts file... if I deleted it every single one of those hosts would complain and ask me accept the new host key when I tried to connect via ssh. How would I know which one to suspect?

[OreoCookie]

Originally posted by utidjian:
I disagree with that solution. It is certainly quick and easy but it also destroys the value of the warning message when the host keys do not match. I have 78 entries in my .ssh/known_hosts file... if I deleted it every single one of those hosts would complain and ask me accept the new host key when I tried to connect via ssh. How would I know which one to suspect?

Try to check out the ips in the known_hosts file and delete the lines manually ...

[utidjian]

Originally posted by OreoCookie:
Try to check out the ips in the known_hosts file and delete the lines manually ...

What is your point?

[OreoCookie]

Originally posted by utidjian:
What is your point?

Delete the faulty entry of the computer in question manually.

Just open the file in the Terminal and delete the line in question, maybe this will work without deleting the whole file.

[Kristoff]

OreroCookie:
It does work, and that's the real solution, and what utidjian said to do.

Anyone who says to delete the whole file is just silly.
The whole point is to be able to validate the authenticity of the host that you are making the connection to.

If you are in the habit of deleting your known hosts, how can you ever expect to know when a host is not authentic or has been compromised?

[Tyler McAdams]

Man I was hoping for a command of some sort... being unix. No worries, and thanks for your help fellas!!!

[Detrius]

Originally posted by Tyler McAdams:
Man I was hoping for a command of some sort... being unix. No worries, and thanks for your help fellas!!!

Ummm... you delete the offending line in a configuration text file. how is that not unix-like?

[OreoCookie]

Originally posted by Kristoff:
OreroCookie:
It does work, and that's the real solution, and what utidjian said to do.

Anyone who says to delete the whole file is just silly.
The whole point is to be able to validate the authenticity of the host that you are making the connection to.

If you are in the habit of deleting your known hosts, how can you ever expect to know when a host is not authentic or has been compromised?

Well, I have only five different computers in my file (my two servers, a friend's computer via dyndns and two university computers), so I find it easier to delete the whole file. On the other hand, with more than 70 computers in your file, I see the point ...

[Tyler McAdams]

Originally posted by Detrius:
Ummm... you delete the offending line in a configuration text file. how is that not unix-like?

I was thinking something along the lines of "ssh reset" or something. Mainframes have "Facilites" and "ACL's" for configuring such things.

[utidjian]

Originally posted by Tyler McAdams:
I was thinking something along the lines of "ssh reset" or something. Mainframes have "Facilites" and "ACL's" for configuring such things.

Oh there are things like that in Mac OS X and other Unixes.

You can do somehting like (in Mac OS X):

Code:
core:~ physicsadmin$ sudo service ssh stop
core:~ physicsadmin$ sudo service ssh start

or (in Linux):

Code:
[root@tuttle root]# service sshd restart
Stopping sshd:                    [  OK  ]
Starting sshd:                    [  OK  ]

For a full list of the services controlled by the 'service command do:

'sudo service --list' (for Mac OS X) and
'service --status-all' (for Linux)

There is also the 'kill HUP [PID of service]' for "resetting" a service.

On the Linux side the 'service' command has a richer feature set than Mac OS X... more verbose etc and more options. Be careful with the command. Guess what happens if you are sshed into a system and do:
'sudo service ssh stop' or
'service sshd stop'?

In Linux, however, it is "safe" to do:
'service sshd restart'
and the service will not hang up on you unless you have made some config changes to the service.

But neither of these would fix your problem ;-)

It is quite common in Unix to edit a flat plain text configuration file (usually in /etc somewhere or ~/.somefile) and then restart the application or service that uses that config file. For both Mac OS X and Linux there are GUI configuration tools for most services that will apply the changes as they are made or there will be an [Apply] or [Restart] or whatever button. In the case of the ~/.ssh/known_hosts file it has to be edited to remove a host entry which will "reset" ssh attempts to that host. Whether the file is edited using a text editor or using a button in a GUI app depends on whether such a GUI app is available that can parse the file correctly. PuTTY keeps these entries in ~/.putty/sshhostkeys. sshhostkeys and known_hosts are not, as far as I can tell, interchangeable. In any case... both ssh methods use flat text configuration files... editing these files can be done by using an editor or the GUI front end to the ssh utility.

I haven't been able to get PuTTY to build yet on Mac OS X but I did find a GUI front end for you.
See: http://www.pingx.net/secpanel/
It requires Xwindows (comes with Mac OS X) and Tk/Tcl (available via Fink). I tested it on one of my systems and it seems to work fine. LOTS of GUI clickable options and profiles and whatnot. It uses the standard ~/.ssh/ files for configuration and adds some of its own to ~/.secpanel/ Since secpanel is only a Tk/Tcl script it will not be as pretty as a full blown native Mac OS X GUI app... but it is also very portable and small.

Good luck.

[Tyler McAdams]

Originally posted by utidjian:
Oh there are things like that in Mac OS X and other Unixes.

You can do somehting like (in Mac OS X):

Code:
core:~ physicsadmin$ sudo service ssh stop
core:~ physicsadmin$ sudo service ssh start

or (in Linux):

Code:
[root@tuttle root]# service sshd restart
Stopping sshd:                    [  OK  ]
Starting sshd:                    [  OK  ]

For a full list of the services controlled by the 'service command do:

'sudo service --list' (for Mac OS X) and
'service --status-all' (for Linux)

There is also the 'kill HUP [PID of service]' for "resetting" a service.

On the Linux side the 'service' command has a richer feature set than Mac OS X... more verbose etc and more options. Be careful with the command. Guess what happens if you are sshed into a system and do:
'sudo service ssh stop' or
'service sshd stop'?

In Linux, however, it is "safe" to do:
'service sshd restart'
and the service will not hang up on you unless you have made some config changes to the service.

But neither of these would fix your problem ;-)

It is quite common in Unix to edit a flat plain text configuration file (usually in /etc somewhere or ~/.somefile) and then restart the application or service that uses that config file. For both Mac OS X and Linux there are GUI configuration tools for most services that will apply the changes as they are made or there will be an [Apply] or [Restart] or whatever button. In the case of the ~/.ssh/known_hosts file it has to be edited to remove a host entry which will "reset" ssh attempts to that host. Whether the file is edited using a text editor or using a button in a GUI app depends on whether such a GUI app is available that can parse the file correctly. PuTTY keeps these entries in ~/.putty/sshhostkeys. sshhostkeys and known_hosts are not, as far as I can tell, interchangeable. In any case... both ssh methods use flat text configuration files... editing these files can be done by using an editor or the GUI front end to the ssh utility.

I haven't been able to get PuTTY to build yet on Mac OS X but I did find a GUI front end for you.
See: http://www.pingx.net/secpanel/
It requires Xwindows (comes with Mac OS X) and Tk/Tcl (available via Fink). I tested it on one of my systems and it seems to work fine. LOTS of GUI clickable options and profiles and whatnot. It uses the standard ~/.ssh/ files for configuration and adds some of its own to ~/.secpanel/ Since secpanel is only a Tk/Tcl script it will not be as pretty as a full blown native Mac OS X GUI app... but it is also very portable and small.

Good luck.

Nice. Thanks for all the info!