This article explains how to change the SSH public key of a remote host on EX switches so that the archival of the configuration continues to function. This article assumes that the EX switch is already configured for archival using SCP; KB15615 shows the steps to configure archival using SCP.
Whenever a SSH public key of a remote server is changed, the following error message will appear when trying to change the public key:
Switch# set system archival configuration archive-sites "scp://user@10.1.1.1:/home/user" password "password"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING BAD!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
10:a5:7c:4e:11:79:7b:2a:35:39:0a:ec:40:64:4b:98.
Please contact your system administrator.
Add correct host key in /tmp/ssh_known_hosts_12272 to get rid of this message.
Offending key in /tmp/ssh_known_hosts_12272:1
RSA host key for 10.1.1.1 has changed and you have requested strict checking.
Host key verification failed.
How to remove the old key and update with the new key of the remote host:
Whenever the remote host public key is changed, the key needs to be updated at the ssh-known-hosts section of the configuration.
- First the old key needs to be deleted:
Switch#
delete security ssh-known-hosts host
- The archive-sites should also be deleted:
Switch# delete system archival configuration archive-sites
- Add the archive-site url and after entering the command, press the carriage return. The switch will prompt for adding the new key. Please type "yes" at the prompt to add the new key
{master:1}[edit]
Switch# set system archival configuration archive-sites "scp://user@10.1.1.1:/home/juniper" password "password"
The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
RSA key fingerprint is 24:60:ab:1b:6d:4e:10:e2:ea:9c:0f:af:17:49:38:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.1' (RSA) to the list of known hosts.
Switch# commit
configuration check succeeds
fpc1:
commit complete
Now the EX switch is updated with the new public key of the remote host and will archive the configuration using SCP.