Rsa host key change

I updated my firmware successfully. Then I tried to get the terminal running using ssh root@192.168.1.1,
I get the following RSA change.

Can anyone has a solution to this?

     avishek@Linux1:~$ arp -a
                ? (128.146.1.7) at <incomplete> on wlp2s0
                ? (172.27.66.3) at 88:53:2e:cd:04:4c [ether] on wlp2s0
	             OpenWrt.lan (192.168.1.1) at f4:f2:6d:6d:16:a4 [ether] on enp1s0
	             ? (172.27.64.1) at 00:00:0c:9f:f0:00 [ether] on wlp2s0
	avishek@Linux1:~$ ssh root@192.168.1.1
	 **@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	@@@@@@@@@@@@@@**
**	@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @**
**	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	@@@@@@@@@@@@@@**
**	IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!**
**	Someone could be eavesdropping on you right now (man-in-the-middle attack)!**
**	It is also possible that a host key has just been changed.**
**	The fingerprint for the RSA key sent by the remote host is**
**	SHA256:UZ4JZm95Q/cL0Zb1kKckn5vSEdnnzx7HUsHWNwiF/pQ.**
**	Please contact your system administrator.**
**	Add correct host key in /home/avishek/.ssh/known_hosts to get rid of this message.**
**	Offending RSA key in /home/avishek/.ssh/known_hosts:1**
**	  remove with:**
**	  ssh-keygen -f "/home/avishek/.ssh/known_hosts" -R 192.168.1.1**
**	RSA host key for 192.168.1.1 has changed and you have requested strict checking.**
**	Host key verification failed.**


	avishek@Linux1:~$ ping 192.168.1.1
	PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
	64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.442 ms
	64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.489 ms
	64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.435 ms
	64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.389 ms
	64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=0.369 ms
	64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=0.418 ms
	64 bytes from 192.168.1.1: icmp_seq=7 ttl=64 time=0.416 ms
	^C
	--- 192.168.1.1 ping statistics ---
	7 packets transmitted, 7 received, 0% packet loss, time 6145ms
rtt min/avg/max/mdev = 0.369/0.422/0.489/0.042 ms


	avishek@Linux1:~$ ssh root@192.168.1.1
	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	@@@@@@@@@@@@@@
	@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@	@@@@@@@@@@@@@@
	IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
	Someone could be eavesdropping on you right now (man-in-the-middle attack)!
	It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
		SHA256:UZ4JZm95Q/cL0Zb1kKckn5vSEdnnzx7HUsHWNwiF/pQ.
Please contact your system administrator.
	Add correct host key in /home/avishek/.ssh/known_hosts to get rid of this message.
	Offending RSA key in /home/avishek/.ssh/known_hosts:1
	  remove with:
	  ssh-keygen -f "/home/avishek/.ssh/known_hosts" -R 192.168.1.1
	RSA host key for 192.168.1.1 has changed and you have requested strict checking.
		Host key verification failed.

If you reset your routers (firstboot/ don't save setting over sysupgrades, etc.), it will generate a new ssh keypair on the next boot - a new/ unique one, with a different host identification. Your ssh client will notice the difference and suspect a man in the middle attack, therefore the warning - override your client's warning if you're sure that it's bogus.

1 Like

The answer is:

3 Likes

I have to ssh-keygen -R 192.168.1.1 every time I put any OpenWrt device into failsafe or first-boot mode. The keys are generated on boot if they aren't there and are, by definition, "always" different and unpredictable. At least your network topology (a single, directly connected Ethernet cable, for example) should provide some confidence if the only device attached to your 192.168.1.NN/24 interface is the OpenWrt box you just booted.

2 Likes

delete the old keys in your dir /root/ssh/known_hosts file, after doing so, it will add peacefully your new HostKeys to the known_hosts file... this message appears, if your known_host file contains a conflicting obeselte key from in your case, a previos install, as it created new keys, and your clients still have the old rsa keys for the same device in its known_hosts file... it comes up with this message you have as a warning from a man in middle atack...and as I see, you have enabled in your sshd_conf file STRICT HOST file checking aswell, so its normal...it pops up!

2 Likes

Or you can set your ssh client to not cache known_host for your router by adding to your ~/.ssh/config:

Host router r
	KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
	StrictHostKeyChecking no
	UserKnownHostsFile=/dev/null
	HostName 192.168.1.1
	User root
2 Likes

Thanks. It got sorted

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.