Join Log in
Score:1
Takeshinho avatar Server

SSH to 1 server from 2 different servers which have same hostname

cn flag
Takeshinho

There is 2 servers for production and DR. Both servers are RHEL 7 and same spec.

Both have same host name and different IP address. We need to connect to same outside servers over SSH without password.

When we tried to connect from DR server, it showed warning with message as below.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
fromserver:user1$ ssh  user2@dest-server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for dest-server has changed,
and the key for the corresponding IP address 10.126.**.**
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/user1/.ssh/known_hosts:111
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:***********************************************.
Please contact your system administrator.
Add correct host key in in /home/user1/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in in /home/user1/.ssh/known_hosts:111
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
*********************************************************************

My question is how I can avoid this message and enable ssh login without password. Is it possible avoid this message?

125
2 + 2
ssh
Michael Hampton avatar
cz flag
Michael Hampton
They should not have the same host name.
10
Reply
djdomi avatar
za flag
djdomi
i agree, the same hostname will bring issues, i had this similar problem in fact that i always have a default image which i use and then my ssh also has a brain fuc* up because it thinks i got a h4x0red server :)
1
Reply
Score:2
John Mahowald avatar Server
cn flag
John Mahowald

Have different host names in DNS for administrative functions including ssh. Making up my own example, thingprod1.example.net and thingprod2.example.net, with thingprod.example.net as a service address pointing the active side. Sysadmins use the host name, user applications use the service address.

ssh's DNS spoofing and host key change warnings are security features to detect interception of ssh traffic. They rely on the host key remaining the same for a name and IP.

0 + 0
Score:0
avatar Server
lr flag
Barnabas Busa

While others suggest you that you should NOT use the same hostname (and I agree with them), they do not propose a solution.

The actual solution is disabling StrictHostKeyChecking.

In order to do this you can ssh into the server directly with:

ssh -o StrictHostKeyChecking=no <username>@<hostname>

If you use an ssh config file then it will look like this:

Host <name>
User <username>
Hostname <hostname>
 StrictHostKeyChecking no
 UserKnownHostsFile=/dev/null

UserKnownHostsFile=/dev/null will ensure that your key will not be saved.

0 + 2
John Mahowald avatar
cn flag
John Mahowald
Using a different hostname means ssh host keys are under different names in known_hosts, and will not trigger this warning. Which is a more secure solution.
1
Reply
lr flag
Barnabas Busa
While I agree with you regarding the security of the issue, I disagree with your answer as a solution. The question was how can one get into an ssh session without getting the "POSSIBLE DNS SPOOFING DETECTED!" message. I have answered to his question, highlighting that its not the most secure way to handle things.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.