SSH: WARNING REMOTE HOST IDENTIFICATION HAS CHANGED!

In a production environment when one gets this message, one must be careful of man-in-the-middle attack, as rightly pointed out in the warning. Fig. 1 is a high level picture of when I connect to a remote host (henceforth SSH server) by SSH.

Fig. 1. SSH process as imaged on a Windows 10 machine. I have used PowerShell for my SSH, one can use Putty or any other app. On a Linux or Mac one would use the Terminal.

SSH requires that I trust the server, as shown in the On Screen message. When I connect to a server for the first time, I have no option unless I have a pre-generated fingerprint file. When I select "yes", it creates a server ID against the server's IP address in a file by name "known_hosts". It is stored inside a directory/folder ".ssh" in your userprofile directory (Windows:%userprofile% | Mac: ~/). Subsequent SSH connections identify the SSH servers by the stored IDs (Fig. 2).

Fig. 2. SSH server IDs stored in "known_hosts".

The Identity warning is invoked when the stored ID for the SSH server is changed. In this example, I received the error as I reuse the IP addresses of VMs in my lab.When I tried to connect to the IP address 10.10.10.1 that was assigned to the previous sever, the new signature did not match.

The way I fix this is by removing the old key in my known_hosts file. The next time I did the SSH it asked me if I trusted the server.

WARNING: Man-in-the-middle

I emphasize that the Identity warnings in a production environment must not be taken lightly. This can be a Man-in-the-middle attack, where the attacker is impersonating the server by using an IP address same as that of the server.

Appendix: Wireshark Packet Capture for SSH

Reference:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

https://en.wikipedia.org/wiki/Ssh-keygen