2

Attempting to SSH into my server, I got the "SOMEONE DOING SOMETHING NASTY" message. First time. The message states, "It is also possible that a host key has just been changed."

I am not clear about the meaning of "just".

Does it mean "has recently changed" or does it mean "no big deal, the key has changed".

Either way, I want to know WHY would the key change? I am not aware of anything I did that would cause it to change.

My IP address has not changed. I am working with this server on various ports and everything is normal.

All of the questions about this problem recommend to remove the old key in my known_hosts file, and I have done that.

Is this dramatic error message meant to be basically ignored, or could there really be someone doing something nasty?

Improve this question
4
  • 1
    The host key does not change on its own, so if you have not changed it then you should certainly investigate that urgently. Commented Dec 19, 2020 at 20:02
  • @MichaelHomer What can I do to investigate? So far, I have not re-ssh'ed but used Webmin to check if there are any new or unfamiliar users (no) or any unfamiliar processes running. What else can I do? Commented Dec 19, 2020 at 20:41
  • @MichaelHomer I just SSH'ed to this server from a different local machine (my laptop). No error, no changed key. Does this indicate that the local machine where I got the error may be compromised? Commented Dec 19, 2020 at 21:01
  • 1
    If you had previously connected from that other machine (and cached the host key fingerprint), it suggests that the known_hosts file on the original machine may have changed since you last successfully connected from it. That could be bitrot, an accident, or a deliberate edit. It could also be a network issue or a number of other causes, and there's not much information here to narrow that down. If either the original machine or the server were compromised this would be a sign that it was fairly inept, while MITM is fairly unlikely, so some non-malicious change is more probable. Commented Dec 19, 2020 at 22:19

1 Answer 1

Reset to default
0

SSH keys change under the following conditions:

  1. Someone intentionally re-generated the SSH keys
  2. SSH service (sshd) was uninstalled and its configuration purged and it was later re-installed
  3. Server OS was re-installed (rebuilt)
Improve this answer
6
  • I have done none of those things. This machine (a DigitalOcean droplet running Ubuntu) is identical to another one and I keep both up-to-date. The other one has not exhibited this problem. If there was an update to SSH in the last few days - don't recall one - could that have triggered this? Commented Dec 19, 2020 at 20:48
  • 5
    4. You're actually connecting to a different host than you thought. Commented Dec 19, 2020 at 20:53
  • Do you mean, when I go through SSH? I have services running on my machine that are performing normally. I can access that machine through SFTP or Webmin, etc I see @MichaelHomer you are adding a fourth option... Commented Dec 19, 2020 at 20:53
  • I don't know what is happening, I was just completing the list. The point of the host key check is to detect MITM, so other services appearing to function normally is not a major data point as those can be proxied (though SFTP is still over SSH, of course). Commented Dec 19, 2020 at 20:59
  • Thank you. I am confused though. Am I worried about the server or my local machine? Commented Dec 19, 2020 at 21:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.