From owner-freebsd-security  Thu Mar  1  0:30:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from guardian.nanolink.com (guardian.nanolink.com [195.24.48.9])
	by hub.freebsd.org (Postfix) with SMTP id 68E6F37B718
	for <freebsd-security@freebsd.org>; Thu,  1 Mar 2001 00:30:45 -0800 (PST)
	(envelope-from roam@orbitel.bg)
Received: (qmail 2725 invoked from network); 1 Mar 2001 10:00:54 +0200
Received: from ringworld.nanolink.com (qmailr@195.24.48.13)
  by guardian.nanolink.com with SMTP; 1 Mar 2001 10:00:54 +0200
Received: (qmail 55903 invoked by uid 1000); 1 Mar 2001 08:29:58 -0000
Date: Thu, 1 Mar 2001 10:29:57 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Cc: freebsd-security@freebsd.org
Subject: Re: sshd - @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
Message-ID: <20010301102957.B55211@ringworld.oblivion.bg>
Mail-Followup-To: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>,
	freebsd-security@freebsd.org
References: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103010819.JAA82842@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Thu, Mar 01, 2001 at 09:19:00AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Mar 01, 2001 at 09:19:00AM +0100, Christoph Kukulies wrote:
> 
> I installed a newer sshd recently on one machine in the network
> which I used to login before already via ssh.
> 
> Now I'm getting this infamous 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the host key has just been changed.
> Please contact your system administrator.
> Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
> Host key for host.domain has changed and you have requested strict checking.
> 
> Do I have to worry about being compromised or is it 'normal' behaviour?

If you did not keep your /etc/ssh/ subdirectory, particularly the host
key files in there, then yes, it's normal.  In future upgrades, try to
keep as many of the config files in /etc/ssh/ as possible.

Okay, so /etc/ssh/ is OpenSSH-specific; the ssh.com SSH likes to keep
those files in /etc, IIRC.

G'luck,
Peter

-- 
If there were no counterfactuals, this sentence would not have been paradoxical.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message