如何清除旧的SSH来自 known_hosts 的公钥

如何清除旧的SSH来自 known_hosts 的公钥

63610
Created On 04/03/19 06:02 AM - Last Modified 10/03/24 03:46 AM


Objective


当。。。的时候firewall用作客户端SSH到远程系统上(例如,当使用SCP复制文件),它记录了远程系统的公共证书和相应的IP地址。

当远程系统的证书发生变化时,可能是由于从自签名证书到公共签名证书的转换或新证书和密钥对的生成,旧的SSH公共证书存储在firewall将需要删除。

我们需要将新的公共证书映射到IP以应对上述变化。

Environment


  • PAN-OS 10.1.5
  • 帕洛阿尔托 Firewall
当。。。的时候firewall充当SSH客户端,它将存储SSH的公钥或指纹SSH它正在连接的服务器。 A 它的样本如下:
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv
The authenticity of host '10.129.128.68 (10.129.128.68)' can't be established.
ECDSA key fingerprint is 53:7e:05:8e:15:e3:98:1b:4f:61:50:43:97:af:a2:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.129.128.68' (ECDSA) to the list of known hosts.
admin@10.129.128.68's password:  Marking log as exported successfully...

当上面的指纹发生变化时,我们得到错误以下:
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@        WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72.
Please contact your system administrator.
Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1
RSA host key for 10.129.128.68 has changed and you have requested strict checking.
Host key verification failed.
Log export failure.

Procedure


  1. 确定存储的用户目录SSH指纹。 您可以从主目录(在我们的示例中是 admin)之后确定
admin@firewall> scp export log traffic start-time equal 2019/02/01@00:00:00 end-time equal 2019/02/27@23:59:00 to admin@10.129.128.68:/test.csv
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!      @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is f0:70:ae:18:1c:5e:2f:02:0d:c5:4e:59:ab:ea:cc:72.
Please contact your system administrator.
Add correct host key in /opt/pancfg/home/admin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /opt/pancfg/home/admin/.ssh/known_hosts:1 . <<<<<<<<<<<<<<<<<<<<<<<<<<<
RSA host key for 10.129.128.68 has changed and you have requested strict checking.
Host key verification failed.
Log export failure.
  1. 删除违规的SSH使用命令指纹删除身份验证用户文件 ssh-known-hosts 用户 ip
admin@firewall> delete authentication user-file ssh-known-hosts user ip 10.129.128.68 username admin 
Entry for 10.129.128.68 in ssh-known-hosts file removed for admin
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLNYCA4&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language