2

Whenever I connect to my host, I see

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:J6ErF8jeZVKGsg0db5u2hiNeQbH4pdGzPcbpGXZhOm8.
Please contact your system administrator.
Add correct host key in /home/ecarroll/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/ecarroll/.ssh/known_hosts:50
  remove with:
  ssh-keygen -f "/home/ecarroll/.ssh/known_hosts" -R "10.1.38.15"
ECDSA host key for 10.1.38.15 has changed and you have requested strict checking.
Host key verification failed.

I can get around the need to type

  ssh-keygen -f "/home/ecarroll/.ssh/known_hosts" -R "10.1.38.15"

By using -o StrictHostKeyChecking=no in the call to ssh. However, even when I do that. I get,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:ZVbYVYb0m3udeHMkycdZCF4HK7sGUzVnQmhTjDFTa6Y.
Please contact your system administrator.
Add correct host key in /home/ecarroll/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/ecarroll/.ssh/known_hosts:50
  remove with:
  ssh-keygen -f "/home/ecarroll/.ssh/known_hosts" -R "10.1.38.15"
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Agent forwarding is disabled to avoid man-in-the-middle attacks.

You'll see this line at the bottom,

Agent forwarding is disabled to avoid man-in-the-middle attacks.

Is there anyway I can still enable agent forwarding?

Evan Carroll
  • 30,763
  • 48
  • 183
  • 315
  • 2
    Why does the key keep changing? If it doesn't why not just delete the offending key (if you know the new one is good)? Finally, the workaround you could use is drop the offending key. During connection it will ask if you trust the key it sees, say yes, and the forwarding will work. If you do this every time it will always work. – user1794469 Jan 10 '20 at 20:57
  • For more, see https://unix.stackexchange.com/a/411149/5132 . – JdeBP Jan 10 '20 at 21:59
  • 1
    Do what it's telling you (remove the offending key), then run it with -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null. Whether this is a good idea in general is a completely different story -- I have a ssh0 wrapper just for this purpose (ie for connecting to snapshot VMs, etc). –  Jan 11 '20 at 00:53

1 Answers1

2

AS a work around for this, what you can do is delete that file -- don't worry you'll only have to do it once. Then mix the two options,

StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null

You can either put that in an ssh config file, ~/.ssh/config or make it an alias,

alias ssh0="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"

This will forward the agent, and work on multiple boxes without any further configuration.

Evan Carroll
  • 30,763
  • 48
  • 183
  • 315