SRX Services Gateway
Highlighted
SRX Services Gateway

log in -- Host key verification failed

‎12-17-2019 08:46 AM

Hi,

 

We have obseved below log messages on SRX210 as well SRX300 while i am trying to authenticate. I could not log in the firewall.

Please suggest, how to fix it.

 

 

user@fw> ssh 10.21.8.100
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:xXA7F58CP343PY8KuG/Ingdw0JKLGkpvUtfLJeiMGf4.
Please contact your system administrator.
Add correct host key in /var/home/radius-admingroup-template-user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /var/home/radius-admingroup-template-user/.ssh/known_hosts:3
ED25519 host key for 10.21.8.100 has changed and you have requested strict checking.
Host key verification failed.

 

Regards,

Nik

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: log in -- Host key verification failed

‎12-17-2019 06:30 PM

Hello,

 

You need to edit file /var/home/radius-admingroup-template-user/.ssh/known_hosts, as the prompt says, and delete line which contains "10.21.8.100" 

Here is the procedure in shell, assuming You have privileges to edit this file:

1/ vi  /var/home/radius-admingroup-template-user/.ssh/known_hosts 

2/ look for 10.21.8.100

3/ delete the line containing 10.21.8.100

4/ save the file and exit vi editor

5/ repeat ssh attempt and accept the new key.

But You should be investigating the root cause first - why the SSH key changed? While this could happen after upgrade, or booting from alternate partition containing older/newer JUNOS version, the more sinister root causes such as someone remotely took over Your internet-exposed FW and implanted own backdoored firmware cannot be ruled out nowadays.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: log in -- Host key verification failed

‎12-18-2019 05:19 AM

Hi Alex,

 

AS i checked, their is no. .ssh/known_host exist.

 

ser@fw% cd /var/home/radius-admingroup-template-user/
user@fw% ls -la
total 8
drwxr-xr-x 2 radius-admingroup-template-user 20 512 Dec 11 14:41 .
drwxr-xr-x 5 root wheel 512 Dec 11 14:41 ..
user@fw% pwd
/cf/var/home/radius-admingroup-template-user
user@fw%

 

Regards,

Nik

Highlighted
SRX Services Gateway

Re: log in -- Host key verification failed

‎12-18-2019 07:22 AM

While you are trying to figure out how to update the new host key on your system you can use telnet to login to the device.

 

Updating host key depend on what kind of setup you are using to access the device (unix, mac, putty, secure crt)

 

It might be possible that you don't have admin credential to update the ssh host key on your system.

 

Please refer following link for different options that you have:


https://help.dreamhost.com/hc/en-us/articles/217239087-Updating-host-keys

PS: Please accept my response as solution if it asnwers your query, kuods are appreciated too!

Thanks

Vishal

Highlighted
SRX Services Gateway

Re: log in -- Host key verification failed

[ Edited ]
‎12-18-2019 11:53 PM

Hello,

 


@Target wrote:

Hi Alex,

 

AS i checked, their is no. .ssh/known_host exist.

 

ser@fw% cd /var/home/radius-admingroup-template-user/
user@fw% ls -la
total 8
drwxr-xr-x 2 radius-admingroup-template-user 20 512 Dec 11 14:41 .
drwxr-xr-x 5 root wheel 512 Dec 11 14:41 ..
user@fw% pwd
/cf/var/home/radius-admingroup-template-user
user@fw%

 


 

Interesting. Have You checked under actual user directory - it would be /var/home/user/.ssh/known_hosts ?

Other option You have is to use ssh from Freebsd shell with -o knob , either:

 

ssh -o UserKnownHostsFile=/dev/null 10.21.8.100

or

ssh -o StrictHostKeyChecking=no 10.21.8.100

Neither option replaces the stored key for 10.21.8.100, You have to find out where it comes from.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !