Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Host key verification failed

When I SSH to a Cisco IPS from my MARS I get the following message -

ssh x.x.x.x

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the DSA host key has just been changed.

The fingerprint for the DSA key sent by the remote host is (intentionally removed).

Please contact your system administrator.

Add correct host key in /opt/janus/release/bin/.ssh/known_hosts to get rid of this message.

Offending key in /opt/janus/release/bin/.ssh/known_hosts:1

DSA host key for x.x.x.x has changed and you have requested strict checking.

Host key verification failed."

I *really* need to get this IPS reporting to the MARS as soon as possible and this is preventing it. How do I add the correct host key in the known hosts file on the MARS? BTW, it says I have requested strict checking but if they are referring to the ssl/ssh settings they are set to automatically always accept. Also, I do not have access to the IPS to generate another key (if this would even help). I have opened a TAC case but we all know how long they can take to make contact.

Any help is GREATLY appreciated!

Cheers,

Jeremy

1 REPLY
New Member

Host key verification failed

This seems to have been ignored by all parties it seems, not sure if you (jeremy) resolved this issue and forgot you put it up. I recently had this issue and didnt have clue what was causing it...

So here we go:

The out put was generated by my local linux (server).  Exactly the same as above..

Step 1

I first made sure i configured ssh correctly (waste of time but good refresher for me)... http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Step 2

Clear the known hosts file

The error message had the answes...just did not know where to look...

"The fingerprint for the DSA key sent by the remote host is (intentionally removed)." - someone generated a new rsa key in my case..

"Offending key in /opt/janus/release/bin/.ssh/known_hosts:1" local key doesnt match so i had to clear it...

ssh-keygen -R hostname/ipaddress

Step 3

Try reconnect again ---

The authenticity of host 'switch1 (192.168.1.101)' can't be established.

RSA key fingerprint is zzzzzzzzzzzzzzzzzzzzzzzzzzzzzxxxxxxxxx.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'switch1,192.168.1.101' (RSA) to the list of known hosts.


I hope this helps anyone having this issue..

5749
Views
0
Helpful
1
Replies