具有 2 个 DNS 名称的服务器上的 SSH 登录警告消息
我正在从笔记本电脑有时从外部,有时从局域网通过 ssh 连接到服务器 x1.example.com。 从 lan 我只是说
ssh karl@x1
,从 wan:
ssh [email protected]
但从 lan 我总是收到警告:远程主机标识已更改。
我每次都可以删除known_hosts文件中的另一个键,但我想知道是否有更好的解决方案。
我正在犹豫是否关闭密钥验证,因为这会不太安全。 但是一直收到警告也是不安全的(因为我一直忽略这样的警告)
I am doing ssh to server x1.example.com from a laptop sometimes from outside and sometimes from lan. From lan I just say
ssh karl@x1
and from wan:
ssh [email protected]
But from lan I get always a warning: remote host identification has changed.
I can delete the other key in the known_hosts file each time, but I was wondering if there is a better solution.
I am hesitating to turn the key verification off, because this would be less secure. But getting a warning all the time is also unsecure (because I ignore such warnings all the time then)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在known_hosts 文件中,您可以列出一个密钥的多个名称甚至IP,例如:
但这不是您的问题。 如果您收到主机标识已更改的警告,则确实如此。 这意味着从您第一次从 LAN 连接到该主机的那一刻到现在,有人为该主机重新生成了主机密钥,例如在重新安装操作系统时。 或者你有中间人攻击。
与您的管理员确认主机已重新安装并已重新生成主机密钥,然后从您的known_hosts 文件中删除旧密钥。 下次连接时,您将向known_hosts 文件添加一个新的正确密钥,此警告将消失。
In known_hosts file you can list several names and even IP's for one key, for example:
But it is not your problem here. If you have a warning that host identification has changed it really means that. It means that between a moment of your first connection to this host from lan and now, somebody regenerated a host key for this host, for example while reinstalling the OS. Or that you have a man-in-the-middle attack.
Confirm with your admin that a host was reinstalled and host key regenerated and then remove old key from your known_hosts file. Next time you connect you'll add a new, correct key to known_hosts file and this warning will go away.
我认为从技术上讲,这实际上是一个名称。
分配第二个主机名(可能通过您的主机文件)从 WAN 访问您的服务器: 例如:
我通过 ssh 使用两个不同的名称(相同的 IP)访问服务器,没有任何警告。 例如:name1.example.com 和 name2.example.com
I think it is actually one name, technically.
Assign a second host name (maybe via your hosts file) to access your server from the WAN: E.g.:
I access a server via ssh with two different names (same IP) with no warnings. E.g.: name1.example.com and name2.example.com
非常感谢您的回答。
抱歉各位,我丢失了基于 cookie 的登录信息,无法再进行评分或编辑。 当我从 LAN 更改为 WAN 时,您的问题帮助我解决了问题。 我认为这个问题已经解决了。
但现在我发现问题变得更加严重,因为我在同一个 IP 上也有 2 个主机,并且 IP 也发生了变化,我在一个新问题中涵盖了这一点(从我不能再丢失的新帐户),并提供了更多详细信息:
< a href="https://stackoverflow.com/questions/733753/how-to-handle-ssh-host-key-verification-with-2- Different-hosts-on-the-same-but-c">如何使用同一(但正在更改)IP 地址上的 2 个不同主机处理 ssh 主机密钥验证?
Thank you very much for your answers.
Sorry folks, I lost my cookie based login and cannot rate or edit anymore. Your questions helped me to get around the problem when I change from LAN to WAN. I regard this question as solved.
But now I see the problem goes even deeper because I also have 2 hosts on the same IP, and the IP also changes, which I am covering (from my new account which I cannot loose anymore) in a new question with more details:
How to handle ssh host key verification with 2 different hosts on the same (but changing) IP address?