How to Clear Old SSH Public Key from known_hosts
63610
Created On 04/03/19 06:02 AM - Last Modified 10/03/24 03:46 AM
Objective
When the firewall is used as a client to SSH onto a remote system (e.g., when using SCP to copy files over), it keeps a record of the public certificate of the remote system with the corresponding IP address.
When the remote system's certificate has changed, perhaps due to a transition from a self-signed cert to a public signed certificate or generation of a new certificate and key pair, the old SSH public certificate stored in the firewall will need to be deleted.
We need to map the new public certificate to the IP to address the above changes.
Environment
- PAN-OS 10.1.5
- Palo Alto Firewall
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv The authenticity of host '10.129.128.68 (10.129.128.68)' can't be established. ECDSA key fingerprint is 53:7e:05:8e:15:e3:98:1b:4f:61:50:43:97:af:a2:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.129.128.68' (ECDSA) to the list of known hosts. admin@10.129.128.68's password: Marking log as exported successfully...
When the above fingerprint changes, we get the error below:
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
Procedure
- Determine the user directory that stores the SSH fingerprint. You can determine this from after the home directory (in our example it is admin)
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 . <<<<<<<<<<<<<<<<<<<<<<<<<<< RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
- Delete the offending SSH fingerprint using the command delete authentication user-file ssh-known-hosts user ip
admin@firewall> delete authentication user-file ssh-known-hosts user ip 10.129.128.68 username admin Entry for 10.129.128.68 in ssh-known-hosts file removed for admin
Additional Information
Another alternative is to completely refresh the whole SSH known_host file by using the command below.
admin@firewall> delete authentication user-file ssh-known-hosts user username all ssh-known-hosts file removed for all