Knowledge Search


×
 

[SRX] SSH (secure shell) does not work from SRX and gives warning.

  [KB27960] Show Article Properties


Summary:

This article describes how to resolve the SSH login issue which occurs when the RSA key is changed at remote side host or the RSA key is deleted from the client. This issue can be resolved by deleting the old RSA fingerprint value for that known host from the SRX database.

Symptoms:

User is unable to do SSH from SRX to remote host. The attempt fails with the following error message:

root@240-2> ssh 100.1.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
86:10:55:0f:94:34:07:15:d8:1a:df:22:a5:4c:49:7e.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
RSA host key for 100.1.1.1 has changed and you have requested strict checking.
Host key verification failed.
Cause:

Somehow a remote device has changed its RSA key value or the RSA key changed or got deleted on the client for SSH. However, the SRX device still has the old RSA key fingerprint value for the remote host in its database at /cf/root/.ssh/known_hosts .

When a user tries to do SSH to SRX, he gets an RSA finger print mismatch message.

Solution:

This issue can be resolved by deleting the old RSA finger print value for that known host from the SRX database.

Please complete the following steps:

  1. Run the following command to locate the file which contains the RSA finger print values for the all known hosts:
    root@240-2> file list /cf/root/.ssh
    /cf/root/.ssh:
    known_hosts
  2. Delete the known host file from the database, so SRX can install the new RSA finger print value for the remote host.
    root@240-2> file delete /cf/root/.ssh/known_hosts
  3. Try again to do SSH for the same host. This time SRX will install the new finger print value in its database:
    root@240-2>ssh 100.1.1.1
    ECDSA key fingerprint is 82:e7:c6:12:14:48:ed:64:ca:0d:99:f7:88:f9:eb:b0.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '100.1.1.1' (ECDSA) to the list of known hosts.
    root@100.1.1.1's password:
Modification History:
2018-12-23: Corrected the order of the steps and associated commands.
Related Links: