Comment effacer l’ancienne SSH clé publique de known_hosts
67117
Created On 04/03/19 06:02 AM - Last Modified 10/03/24 03:46 AM
Objective
Lorsque le firewall est utilisé comme client sur SSH un système distant (par exemple, lors de l’utilisation pour copier des fichiers), il conserve un enregistrement du certificat public du système distant avec l’adresse SCP correspondante IP .
Lorsque le certificat du système distant a changé, peut-être en raison d'une transition d'un certificat auto-signé à un certificat signé public ou de la génération d'un nouveau certificat et d'une nouvelle paire de clés, l'ancien SSH certificat public stocké dans le firewall devra être supprimé.
Nous devons mapper le nouveau certificat public à l’pour IP répondre aux changements ci-dessus.
Environment
- PAN-OS 10.1.5
- Palo Alto (Palo Alto) Firewall
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv The authenticity of host '10.129.128.68 (10.129.128.68)' can't be established. ECDSA key fingerprint is 53:7e:05:8e:15:e3:98:1b:4f:61:50:43:97:af:a2:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.129.128.68' (ECDSA) to the list of known hosts. admin@10.129.128.68's password: Marking log as exported successfully...
Lorsque l’empreinte digitale ci-dessus change, nous obtenons l’erreur ci-dessous:
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
Procedure
- Déterminez le répertoire utilisateur qui stocke l’empreinte SSH digitale. Vous pouvez le déterminer après le répertoire de base (dans notre exemple, il s’agit d’admin)
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72. Please contact your system administrator. Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message. Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 . <<<<<<<<<<<<<<<<<<<<<<<<<<< RSA host key for 10.129.128.68 has changed and you have requested strict checking. Host key verification failed. Log export failure.
- Supprimer l’empreinte digitale incriminée SSH à l’aide de la commande delete authentication user-file ssh-known-hosts user ip
admin@firewall> delete authentication user-file ssh-known-hosts user ip 10.129.128.68 username admin Entry for 10.129.128.68 in ssh-known-hosts file removed for admin