Cómo borrar la clave pública antigua SSH de known_hosts
63650
Created On 04/03/19 06:02 AM - Last Modified 10/03/24 03:46 AM
Objective
Cuando se utiliza como cliente en SSH un sistema remoto (por ejemplo, cuando se firewall utiliza SCP para copiar archivos), mantiene un registro del certificado público del sistema remoto con la dirección correspondiente.
IP Cuando el certificado del sistema remoto ha cambiado, tal vez debido a una transición de un certificado autofirmado a un certificado público firmado o la generación de un nuevo certificado y un par de claves, el antiguo SSH certificado público almacenado en el firewall deberá eliminarse.
Necesitamos asignar el nuevo certificado público al IP para abordar los cambios anteriores.
Environment
- PAN-OS 10.1.5
- Palo Alto Firewall
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv The authenticity of host '10.129.128.68 (10.129.128.68)' can't be established. ECDSA key fingerprint is 53:7e:05:8e:15:e3:98:1b:4f:61:50:43:97:af:a2:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.129.128.68' (ECDSA) to the list of known hosts. admin@10.129.128.68's password: Marking log as exported successfully...
Cuando cambia la huella digital anterior, obtenemos el siguiente error:
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
Procedure
- Determine el directorio de usuario que almacena la SSH huella digital. Puede determinar esto desde después del directorio de inicio (en nuestro ejemplo es admin)
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 . <<<<<<<<<<<<<<<<<<<<<<<<<<< RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
- Eliminar la huella digital ofensiva SSH mediante el comando delete authentication user-file ssh-known-hosts user ip
admin@firewall> delete authentication user-file ssh-known-hosts user ip 10.129.128.68 username admin Entry for 10.129.128.68 in ssh-known-hosts file removed for admin