Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] SSH (secure shell) does not work from SRX and gives warning.

0

0

Article ID: KB27960 KB Last Updated: 27 Dec 2018Version: 3.0
Summary:

This article describes how to resolve the SSH login issue which occurs when the RSA key is changed at remote side host or the RSA key is deleted from the client. This issue can be resolved by deleting the old RSA fingerprint value for that known host from the SRX database.

Symptoms:

User is unable to do SSH from SRX to remote host. The attempt fails with the following error message:

root@240-2> ssh 100.1.1.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
86:10:55:0f:94:34:07:15:d8:1a:df:22:a5:4c:49:7e.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
RSA host key for 100.1.1.1 has changed and you have requested strict checking.
Host key verification failed.
Cause:

Somehow a remote device has changed its RSA key value or the RSA key changed or got deleted on the client for SSH. However, the SRX device still has the old RSA key fingerprint value for the remote host in its database at /cf/root/.ssh/known_hosts .

When a user tries to do SSH to SRX, he gets an RSA finger print mismatch message.

Solution:

This issue can be resolved by deleting the old RSA finger print value for that known host from the SRX database.

Please complete the following steps:

  1. Run the following command to locate the file which contains the RSA finger print values for the all known hosts:
    root@240-2> file list /cf/root/.ssh
    /cf/root/.ssh:
    known_hosts
  2. Delete the known host file from the database, so SRX can install the new RSA finger print value for the remote host.
    root@240-2> file delete /cf/root/.ssh/known_hosts
  3. Try again to do SSH for the same host. This time SRX will install the new finger print value in its database:
    root@240-2>ssh 100.1.1.1
    ECDSA key fingerprint is 82:e7:c6:12:14:48:ed:64:ca:0d:99:f7:88:f9:eb:b0.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '100.1.1.1' (ECDSA) to the list of known hosts.
    root@100.1.1.1's password:
Modification History:
2018-12-23: Corrected the order of the steps and associated commands.
Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search