Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to change the SSH public key of a remote host to keep the archival working

0

0

Article ID: KB15617 KB Last Updated: 13 Dec 2021Version: 3.0
Summary:

This article explains how to change the SSH public key of a remote host on EX switches so that the archival of the configuration continues to function.

Note: It is assumed here that the EX switch is already configured for archival by using SCP. For steps to configure archival using SCP, refer to KB15615.

Symptoms:

Whenever the SSH public key of a remote server is changed, the following error message appears:

Switch# set system archival configuration archive-sites "scp://user@10.1.1.1:/home/user" password "password" 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING BAD!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
10:a5:7c:4e:11:79:7b:2a:35:39:0a:ec:40:64:4b:98.
Please contact your system administrator.
Add correct host key in /tmp/ssh_known_hosts_12272 to get rid of this message.
Offending key in /tmp/ssh_known_hosts_12272:1
RSA host key for 10.1.1.1 has changed and you have requested strict checking.
Host key verification failed.
Solution:

How to remove the old key and update with the new key of the remote host:

Whenever the remote host public key is changed, the key needs to be updated in the ssh-known-hosts section of the configuration.

  1. First, in configuration mode, delete the old key as well as the archive-sites configuration:

Switch# delete security ssh-known-hosts host
Switch# delete system archival configuration archive-sites
  1. Add the archive-sites URL and specify the transfer-interval or transfer-on-commit commands. Then press Enter.

    Note that transfer-interval is measured in minutes.

    The switch will then prompt for the new key. Type "yes" at the prompt to add the new key:

Switch# set system archival configuration transfer-on-commit OR
set system archival configuration transfer-interval 360
set system archival configuration archive-sites "scp://user@10.1.1.1:/home/user" password "password" 

The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
RSA key fingerprint is 24:60:ab:1b:6d:4e:10:e2:ea:9c:0f:af:17:49:38:cc.

Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.1' (RSA) to the list of known hosts.
  1. Commit the changes:

Switch# commit
configuration check succeeds
commit complete

Now the EX switch is updated with the new public key of the remote host and will archive the configuration using SCP.

Modification History:
  • 2020-10-12: Minor, non-technical edits.

  • 2021-12-13: Added transfer-on-commit or transfer-interval as part of the commands since it is mandatory

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search