Red Hat Enterprise Linux 5 Administration Unleashed

Configuring the Server 357key. If accepted, the client stores the public key and uses it to verify the identity of theserver with each connection.When a system acting as an OpenSSH server is reinstalled, the files storing the OpenSSHidentification keys are re-created as well. Because the SSH clients use these keys to identifythe server before connecting to it, they will see the warning message in Listing 17.1 afterthe operating system reinstallation, which generates new keys.LISTING 17.1Warning About Keys Not Matching@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that the RSA host key has just been changed.The fingerprint for the RSA key sent by the remote host is66:50:c5:dc:ba:36:d4:3f:ea:93:1d:d8:56:e3:38:56.Please contact your system administrator.Add correct host key in /home/tfox/.ssh/known_hosts to get rid of this message.Offending key in /home/tfox/.ssh/known_hosts:73RSA host key for 172.31.0.1 has changed and you have requested strict checking.Host key verification failed.After the message is displayed, the program exits. If you are sure that the key on theserver changed, edit the known_hosts file in the .ssh directory of your home directorysuch as /home/tfox/.ssh/known_hosts. The warning message gives the line number thatcontains the stored key for the server, or you can search for the hostname or IP address ofthe server, whichever one you use to connect to it. Delete the line, save the file, and exitthe text editor. The next time you try to connect to the server via SSH, you will need toaccept the new RSA server key.17CAUTIONBefore removing a stored RSA key for a server and accepting a new one, verify with theadministrator of the server that the key has changed and that the new key you areaccepting is correct. Otherwise, the system could have been compromised, and youmight be compromising your system by accepting the different key and connecting to adifferent server.Instead of communicating a new key to users every time a server is reinstalled, an administratorcan retain the host keys generated for the system before reinstalling. To save thekeys before reinstalling, save the /etc/ssh/ssh_host*key* files on another system orbackup media. After reinstalling, restore these files to their original locations on the serverto retain the system’s identification keys. If this process is used, clients will not receive thewarning message when trying to connect to the system after it is reinstalled.