Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to change the SSH public key of a remote host to keep the archival working

0

0

Article ID: KB15617 KB Last Updated: 13 Oct 2020Version: 2.0
Summary:

This article explains how to change the SSH public key of a remote host on EX switches so that the archival of the configuration continues to function. This article assumes that the EX switch is already configured for archival using SCP; KB15615 shows the steps to configure archival using SCP.

 

Symptoms:

Whenever a SSH public key of a remote server is changed, the following error message will appear when trying to change the public key:

Switch# set system archival configuration archive-sites "scp://user@10.1.1.1:/home/user" password "password"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING BAD!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
10:a5:7c:4e:11:79:7b:2a:35:39:0a:ec:40:64:4b:98.
Please contact your system administrator.
Add correct host key in /tmp/ssh_known_hosts_12272 to get rid of this message.
Offending key in /tmp/ssh_known_hosts_12272:1
RSA host key for 10.1.1.1 has changed and you have requested strict checking.
Host key verification failed.

 

Solution:

How to remove the old key and update with the new key of the remote host:
Whenever the remote host public key is changed, the key needs to be updated at the ssh-known-hosts section of the configuration.

  • First the old key needs to be deleted:
Switch# delete security ssh-known-hosts host
  • The archive-sites should also be deleted:
Switch# delete system archival configuration archive-sites
  • Add the archive-site url and after entering the command, press the carriage return. The switch will prompt for adding the new key. Please type "yes" at the prompt to add the new key
{master:1}[edit]
Switch# set system archival configuration archive-sites "scp://user@10.1.1.1:/home/juniper" password "password"
The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
RSA key fingerprint is 24:60:ab:1b:6d:4e:10:e2:ea:9c:0f:af:17:49:38:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.1' (RSA) to the list of known hosts.
  • Commit the changes
Switch# commit
configuration check succeeds
fpc1:
commit complete

Now the EX switch is updated with the new public key of the remote host and will archive the configuration using SCP.

Modification History:
2020-10-12: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search