Hi Ben, Victor, all,
[for changing the IP address of a box]
> in your [ssh config file] - if ListenAddress is not equal to 0.0.0.0
> (listen on all ports) then change this to replect the new IP.
>
> That should be it (I think).
>
> When users connect the next time, they will be warned that the key has
> changed, and that someone may be tapping them.
No, in fact you won't even get the error message (unless you previously
had a box with a SSH key on the new IP address). It will look like a
new key altogether, which (to false-split fixed SSH1) looks like this:
Host key not found from the list of known hosts.
!! If the host key is new or changed, ssh1 protocol is vulnerable to
!! an attack known as false-split, which makes it relatively easy to
!! hijack the connection without the attack being detected. It is
!! highly advisable to turn StrictHostKeyChecking to "yes" and
!! manually copy host keys to known_hosts.
Are you sure you want to continue connecting (yes/no)?
What follows is related to SSH1.
In order to prevent this from happening, you should maintain your host
keys centrally in /etc/ssh_known_hosts on every computer and have the
entries for a machine list all of its DNS names and IP interfaces:
host,host.domain,host-alias,host-alias.domain,IP1,IP2 (rest of key info)
Then, for the new IP, you just change the IP here and things Just Work.
> If connecting from another linux box, to get rid of this message, they will
> have to remove the entry from ~/.ssh/known_hosts -- I find it easier to
> simply delete this file.
The known hosts files are there for a reason. Obviously, ignoring the
"host key is wrong" messages routinely means you are completely losing
any security provided by host identification.
Instead of having to change known hosts files n times for n users, you
should maintain the key file centrally and always keep it up to date.
Also, the "standard issue" SSH1 looks in the users' own known_hosts
files first. I've patched mine to look in /etc/ssh_known_hosts first.
Not very difficult to fix -- look in sshconnect.c for two calls to
check_host_in_hostfile() and reverse their order.
> If I'm wrong on any point (not entirely sure that you don't have to
> regenerate the host servers keys), I'd love to hear about it, as I'm
> making a similar move soon.
You don't have to regenerate any keys if you change IPs, domain names,
or anything. You just have to keep your list of things up to date.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . iki . fi / atro . tossavainen / >
