Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I have encountered problem during sftp connection WARNING: POSSIBLE DNS SPOOFING DETECTED! The RSA host key for XXXXX has changed, and the key for the according IP address XXXXXXXXXX ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2012
    Posts
    1

    Warning: Possible Dns Spoofing Detected! during sftp


    Hi,
    I have encountered problem during sftp connection
    WARNING: POSSIBLE DNS SPOOFING DETECTED!
    The RSA host key for XXXXX has changed,
    and the key for the according IP address XXXXXXXXXX
    is unchanged. This could either mean that
    DNS SPOOFING is happening or the IP address for the host
    and its host key have changed at the same time.
    Offending key for IP in /home/XXXX/.ssh/known_hosts:

    .....
    My situation is:
    Someone is connect to my boxes using sftp
    eg "sftp host0.mydomain"
    host0.mydomain is resolved in round robin for hosts host1.mydomain,
    host2.mydomain, host3.mydomain

    What should be done in order to avoid Spoofing Warnings?
    Do you think the only solution is to put the same key in each of host: host1.mydomain,
    host2.mydomain, host3.mydomain?

    Is there a chance to somehow generate a key but without hostname?
    I will appreciate yours suggestions

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Maybe copy&paste the ssh key of the main server to all mirrors? I can't make up another solution right now, sorry. But basically host1, host2 and host3 should be transparent mirrors (i.e. a client doesn't need to know he's on the mirror) and therefore (by definition) all those hosts share the same key since they should be virtually the same host. The other option is to publish the three hosts as mirrors and then it's up to the clients to decide which one he wants to pick. Or as an idea: maybe some users should be able only access one specific mirror?

    PS: mirroring makes only sense when your bottleneck is the computing power and not the network throughput (which typically is the case). maybe mirroring doesn't make sense in your case and is just a lot of work for being nothing more than just awesome?
    Last edited by Kloschüssel; 02-06-2012 at 06:28 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •