Re: Does anyone ssh into shell.panix.com? Help?

Paul Ciszek wrote:
When you shell into shell.panix.com, you get forwarded to one of three
(maybe it's more by now) actual machines. As a result, most of the time
the host key doesn't match, and I get this message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[snip]

Now, I can just keep trying ssh pciszek@xxxxxxxxxxxxxxx over and over until by chance I get connected to the one machine that matches the
key, presumably the same machine I was connected to the first time I
ssh'ed into panix from this PC. But I would like a better solution.
What gets me is the phrase "...and you have requested strict checking."
I didn't! I didn't request any checking at all! If there were a way
to request non-strict checking, I would!

Any advice?

It sounds like what panix (never heard of them before, myself) should do is put the same key on all their load-balanced servers, but that's their problem. It becomes your problem only because they're probably oblivious to it. Think about that if you ever consider switching whatever service they provide for you.

ssh does strict host key checking by default. You can adjust it for everything (although I wouldn't recommend it) or specific hosts (which in your case would be the best, maybe) in /etc/ssh/ssh_config by setting StrictHostKeyChecking. You can set it on the command line using the -o option on an ad hoc basis (which is probably your next best option).

"man ssh_config" and look for StrictHostKeyChecking for details. The default value is "ask." It seems like you may need to set it to "no" for panix. Again, think carefully before you do it. There's a reason the default is not "no."
.

Relevant Pages

  • Re: Disabling RSA host key check temporarily
    ... RSA host key for 192.168.0.100 has changed and you have requested ... strict checking. ... Your invalid host key is on line #28. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Does anyone ssh into shell.panix.com? Help?
    ... The DSA host key for shell.panix.com has changed, ... It is also possible that the DSA host key has just been ... I didn't request any checking at all! ... Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers ...
    (comp.os.linux.misc)
  • AW: Armor key negotiation in FAST
    ... Thank you for clarifying that point. ... So if I got that aspect right the host key is not used to armor because the AS request for the user principal should be performed in an unprivileged process that should not know the host's long-term key. ...
    (comp.protocols.kerberos)