22

I've connected Raspberry Pi with Raspbian OS to local network and set up the SSH login using ssh keys. I successfully log in just by ssh myname@192.168.5.163 (assigned static IP to Raspberry Pi).

I have now removed the Raspbian OS, and inserted an SD card with Ubuntu Server (headless) on it.

I turned on the Raspberry Pi and tried to login, but I got error:

ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the ECDSA key sent by the remote host is
ERROR: SHA256:asfasfdasdfasfdasfdasdfasdfasdfasdfasfasdf.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /home/joedoe/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /home/joedoe/.ssh/known_hosts:13
ERROR:   remove with:
ERROR:   ssh-keygen -f "/home/joedoe/.ssh/known_hosts" -R "192.168.5.163"
ERROR: ECDSA host key for 192.168.5.163 has changed and you have requested strict checking.
ERROR: Host key verification failed.

I went on and added to my .ssh/config:

host 192.168.5.163
    StrictHostKeyChecking no

but now I get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:asdfasdfasdfasdfasdfasdfasdfasdfasdf.
Please contact your system administrator.
Add correct host key in /home/joedoe/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/joedoe/.ssh/known_hosts:13
  remove with:
  ssh-keygen -f "/home/joedoe/.ssh/known_hosts" -R "192.168.5.163"
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
ubuntu@192.168.5.163: Permission denied (publickey,password).

Clearly the problem is that I want to log in into two different OSes on the same IP address, but the new Ubuntu OS does not wave the SSH login setup, and it doesn't allow me to log in in any way.

How should I proceed in order to be able to use both OSes interchangeably?

Braiam
  • 4,777
Danijel
  • 742
  • 12
  • 27

5 Answers5

30

You can fix the immediate problem by following the instruction in the error (you must do this each time you switch boxes) -

ssh-keygen -f "/home/joedoe/.ssh/known_hosts" -R "192.168.5.163"

The problem you are running into is that your computer has detected that the system its logging into is different to the one previously seen, and the warning is there to prevent man-in-the-middle attacks.

There are a number of ways of dealing with this properly. They include:

  1. Setting up names for each box in /etc/hosts and then referring to the SSH connection by name rather than IP. In this way SSH will associate different server fingerprints with each name.

  2. Ignoring the check (this opens you up to mitm attacks so only do it if you understand and are comfortable with the risks.) You can ignore this check with by adding -o UserKnownHostsFile=/dev/null to your ssh command or -o StrictHostKeyChecking=no

    2a. You can create a config that only ignores the key check for the one IP by putting the following into ~/.ssh/config

    Host 192.168.5.163 StrictHostKeyChecking no UserKnownHostsFile=/dev/null

  3. I wouldn't advise it unless the machines fill the same role, but you could make the host keys in /etc/ssh the same on both servers (and restart sshd on the one you changed). In this way both servers will appear the same to the client.

Danijel
  • 742
  • 12
  • 27
davidgo
  • 73,366
30

There are several potential solutions.

The easiest solution is the one davidgo proposed in his answer, which, as he mentions, leaves you open to a MitM attack (unlikely, but it's good to practice good security even in private situations).

  Host 192.168.5.163
      StrictHostKeyChecking no
      UserKnownHostsFile /dev/null

A slightly better solution would be, as Eugen Rieck proposed, to synchronize the /etc/ssh/ssh_host_*key* files between both target OS systems.

A more reliable method would be to specifically decide which OS to connect to, so you do get an error if you connect to the wrong OS. That would for example allow scripts using ssh to fail if they target the wrong OS.
You can do that by using effectively an Alias in the ~/.ssh/ssh_config.

Host raspbian-pi
  Hostname 192.168.5.163
  UserKnownHostsFile ~/.ssh/known_hosts_raspbian

Host centos-pi
  Hostname 192.168.5.163
  UserKnownHostsFile ~/.ssh/known_hosts_centos

You can then connect with ssh <your_user>@raspbian-pi to retrieve the Raspbian OS key, then switch to CentOS on your Raspberry Pi, do the same with ssh <your_user>@centos-pi to get the CentOS key. Then, in the future, whenever you connect to the wrong OS, you will get the host key error. Make sure to use the correct OS the first time you use the SSH command, so you don't accidentally store the CentOS host key in the Raspbian known hosts file.

Disclaimer: I've never used this solution and I'm not in a position to test it, but it should work correctly from my understanding and the documentation of ssh.

21

The easiest way to do this ist to copy /etc/ssh/ssh_host_*_key* from one installation to the other - this will give both OSes the same host keys and thus the fingerprint.

Eugen Rieck
  • 20,637
8

Another option is to give each OS a different IP address. They get the same one now because the DHCP server sees the same MAC address. So you could configure one install to use a static IP address.

I would follow Eugen's suggestion though - that simplifies things. Or get a second Pi and run both machines at once.

Criggie
  • 2,580
0

I personally use an OpenSSH Certificate Authority for all my Linux servers. This saves a lot of hassle when setting up a new one and orchestrating my terminal devices (desktops, laptops and jump hosts), which I previously blogged about.

While this feature isn't originally designed for this (unusual) use case, it provides an alternative solution to the problem. Just sign both host keys with the private key of your CA and add the public part to your known_hosts file, and your SSH client will automatically trust both sets of host keys without yelling at you about the discrepancies. You may still need to remove any remembered host keys with ssh-keygen -R beforehand, though.

This has the advantage that both systems can keep their host keys separated and different, which provides you with the ability to distinguish them by host keys (and certificates - there's an "identity" field that you can customize when signing the certificates). This is also secure in that you don't have to blindly trust an arbitrary host that shows up at that specific IP address.

Even if you want to protect yourself against leaked keys, you can add "allowed names / IP addresses" as "principals" when signing the certificates, for example:

ssh-keygen -s my_ca -I "RaspOS on RPi" -h -n 192.0.2.0 ssh_host_rsa_key.pub

The certificate will not be trusted unless presented from the host at 192.0.2.0, unless an attacker somehow hijacks your traffic in addition to the host keys and certificates.

Well, now I have to admit it's easier to copy the host keys between both OS's since they're on the same physical machine after all.

iBug
  • 11,645