Eric Boring
December 2nd, 2008, 06:28 PM
I have searched for information on this, but I can't seem to find anything that quite fits what I am experiencing. I appreciate any help you all can offer.
I have two Ubuntu boxes on my network. I have been using cygwin to ssh into these boxes now and then. From my personal XP laptop, I can still ssh in with no problem. From the work XP laptop, I get the scary message below.
The odd thing is that if I ssh into the local IP address instead of using the computer name, it seems to work fine. Also, the IP address is lists in the message below is an external address (not the address I use within the LAN). EDIT: Actually it seems to be an address associated with my employer! (according to an online ip lookup service). Coule this just be an odd confusion resulting from the VPN we use for work?
So my question is, am I really experiencing DNS Spoofing and/or a MITM attack, or did the upgrade this weekend simply change the RSA keys?
I use WPA2 for my wireless, with a firewall on the router. I do not have any incoming ports open on the router. I only access these machines from within my LAN.
I do not have firewalls or antivirus installed on the Ubuntu machines.
I do have firewalls and antivirus in use on the Windows machines
Thanks for any help.
-Josh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
The RSA host key for XXXXXX has changed,
and the key for the corresponding IP address XX.XX.XXX.XX
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX:etc
Please contact your system administrator.
Add correct host key in /cygdrive/c/Documents and Settings/xxxxx/.ssh/known_hos
ts to get rid of this message.
Offending key in /cygdrive/c/Documents and Settings/xxxxx/.ssh/known_hosts:3
RSA host key for frankendevo has changed and you have requested strict checking.
I have two Ubuntu boxes on my network. I have been using cygwin to ssh into these boxes now and then. From my personal XP laptop, I can still ssh in with no problem. From the work XP laptop, I get the scary message below.
The odd thing is that if I ssh into the local IP address instead of using the computer name, it seems to work fine. Also, the IP address is lists in the message below is an external address (not the address I use within the LAN). EDIT: Actually it seems to be an address associated with my employer! (according to an online ip lookup service). Coule this just be an odd confusion resulting from the VPN we use for work?
So my question is, am I really experiencing DNS Spoofing and/or a MITM attack, or did the upgrade this weekend simply change the RSA keys?
I use WPA2 for my wireless, with a firewall on the router. I do not have any incoming ports open on the router. I only access these machines from within my LAN.
I do not have firewalls or antivirus installed on the Ubuntu machines.
I do have firewalls and antivirus in use on the Windows machines
Thanks for any help.
-Josh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
The RSA host key for XXXXXX has changed,
and the key for the corresponding IP address XX.XX.XXX.XX
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX:etc
Please contact your system administrator.
Add correct host key in /cygdrive/c/Documents and Settings/xxxxx/.ssh/known_hos
ts to get rid of this message.
Offending key in /cygdrive/c/Documents and Settings/xxxxx/.ssh/known_hosts:3
RSA host key for frankendevo has changed and you have requested strict checking.