0

Last night I SSH'ed to different systems.... one system/SSH reported that the "authenticity of HOSTNAME couldn't be established......." and it asks if I want to continue or something, I didn't and found this peculiar so I tried to SSH to the system from one of the systems I already had SSH access/open, which didn't report that message(which means no change to the system since last login).

Then I looked at my ~/.ssh/known_hosts and the system was in there so it should know the host I was connecting from, then tried again using the up/down arrows to browse bash history so I didn't make any mistakes in the commands and I didn't...

And this time it worked without any notice about failed authenticity and asked for the password as usual.

Should I be worried, was this as Debian say's "someone doing something nasty"?

The point is... why the message, then not the message(without me doing or changing anything)..... weird.

Improve this question

3 Answers 3

Reset to default
0

It's possible that somebody was trying to spoof that server. It's also possible, and in most environments more likely, that there was a misconfiguration of some kind. Maybe the DNS is misconfigured and has several IP addresses recorded for the same host name. Maybe two machines were competing for the same IP address. Maybe the SSH server on the target machine was temporarily misconfigured.

Improve this answer
1
  • I'm going with the first possible. I checked the known_hosts file at the time and it had the remote in there(known), I tried to ssh to the remote from one of the ssh sessions I had opened(different remote), and no "notice about changed configuration/not recognized host" and short time later when trying the same connection there was no notice about "failure to authenticate". Commented Apr 8, 2015 at 1:40
0

The first time you logged into the server, it didn't have a key value associated with it's hostname in your ~/.ssh/known_hosts. When you accepted its identity, you added the key. Subsequent log ins referenced that key value so its identity was verified and you got no message.

When you logged in from a different system, one that had accessed this server previously, it has a key value that matched the current key on the host, so no message was displayed.

To validate this. Log out of the remote hose, remove it's entry in your ~/.ssh/known_hosts file and then log back in. You'll see the "identity could not be verified" message again.

Improve this answer
1
  • I didn't accept it's identity, when it reported that it couldn't authenticate, I pressed ctrl + d or c and tried from a different system ssh to the same host. And when I looked in known_hosts, it was already there..... that's the point, it couldn't identify then later it could, without me changing either host. Commented Apr 5, 2015 at 10:59
0

This maybe an attempt to hijack your connection or a malicious actor pretends to be a destination which you expect.

You need to verify the key again if you are getting a mismatch in case where you are certain that connection to destination is safe (e.g. private network, trusted network, etc.).

Use ssh-keygen -lf to verify key fingerprint by following a tutorial.

You should abandon connection, dump old keys and generate new ones ASAP if fingerprints do not match after verification.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.