How to do it...

Now that we've confirmed our setup, we're going to change the host keys on centos2 and see what happens.

On centos2, run the following:

[vagrant@centos2 ~]$ sudo mv /etc/ssh/ssh_host_ecdsa_key* /home/vagrant/
[vagrant@centos2 ~]$ ls
ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub

We've just moved the keys we accepted as gospel on centos1.

Our session stays up because we're already authenticated and connected. If we were to disconnect at this point, we would have to accept a different set of keys (we moved the ECDSA keys, but there's still Ed25519 host keys available, which SSH would pick up instead).

Now, we're going to generate a new set of keys by using the catchall -A flag:

[vagrant@centos2 ~]$ sudo ssh-keygen -A
ssh-keygen: generating new host keys: RSA1 DSA ECDSA

We can confirm these exist by checking the directory:

[vagrant@centos2 ~]$ ls -l /etc/ssh/ssh_host_ecdsa_key*
-rw-------. 1 root root 227 Aug  8 16:30 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 174 Aug  8 16:30 /etc/ssh/ssh_host_ecdsa_key.pub

Log out of centos2 and try to log back in again:

[vagrant@centos1 ~]$ ssh 192.168.33.11
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:vdJTJW4ewGtOAdQXCXJ+cbjvrNm9787/CQQnCeM9fjc.
Please contact your system administrator.
Add correct host key in /home/vagrant/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/vagrant/.ssh/known_hosts:1
ECDSA host key for 192.168.33.11 has changed and you have requested strict checking.
Host key verification failed.
[vagrant@centos1 ~]$

SSH tries to save you from doing something bad. Because it's already aware of the IP you're trying to connect to, and has a known_hosts entry for it, it compares the known key it has on file with that of the box.

Since we've just regenerated the keys on the box, we've been presented with a horrible-looking error.

It's worth getting over the mental block of just scoffing and working around this error. Try to lend yourself five seconds of thought and confirm that the error is expected. Too often, I've seen people immediately grumble when faced with this message and bypass it straight away. If you've already accepted the key on a box once, you shouldn't see a warning about it again, this can mean that the box has been tampered with, or your connection is being "man in the middle'd." Be vigilant!

Clear the old key (the line location of which is emboldened in the preceding code) from our known_hosts file:

[vagrant@centos1 ~]$ ssh-keygen -R 192.168.33.11
# Host 192.168.33.11 found: line 1
/home/vagrant/.ssh/known_hosts updated.
Original contents retained as /home/vagrant/.ssh/known_hosts.olds

You should now be able to SSH to centos2 again and accept the new key:

[vagrant@centos1 ~]$ ssh 192.168.33.11
The authenticity of host '192.168.33.11 (192.168.33.11)' can't be established.
ECDSA key fingerprint is SHA256:vdJTJW4ewGtOAdQXCXJ+cbjvrNm9787/CQQnCeM9fjc.
ECDSA key fingerprint is MD5:c3:be:16:5b:62:7f:4d:9c:0b:15:c0:cd:d6:87:d6:d6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.33.11' (ECDSA) to the list of known hosts.
vagrant@192.168.33.11's password: 
Last login: Wed Aug  8 16:26:50 2018 from 192.168.33.10
[vagrant@centos2 ~]$

上一章目录下一章