mosh 误报 MITM 攻击警告

tag-icon tag-icon domain-name-system openvpn
mosh 误报 MITM 攻击警告

我通过 openvpn 将笔记本电脑连接到办公室网络(子网 10.8.0.0/255.255.255.0)。我可以毫无问题地通过 ssh 和 mosh 进入我的办公室桌面。

最近,我决定在不同的子网(192.168.2.0/255.255.255.0)上创建第二个 openvpn 网络,以便访问我家里的电脑。

当我连接到两个网络时:

$ ip address 
...
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.26 peer 10.8.0.25/32 scope global tun1
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 192.168.2.3 peer 192.168.20.4/32 scope global tun0
       valid_lft forever preferred_lft forever

我尝试通过 ssh 进入我的办公室桌面。$ ssh officebox可以工作(officebox 解析为 172.22.22.133 在办公室路由器 IP 范围内),但我首选的方法$ mosh officebox失败了:

$ mosh officebox
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:Qcg8zcFGJAUwtnb1c/oATrVTIdRoFK/neQF7fmK/mag.
Please contact your system administrator.
... ... ...
/usr/bin/mosh: Did not find mosh server startup message.

但是,直接使用 IP 地址$ mosh 172.22.22.133就可以了。

所以我怀疑这与 DNS 有关。如果我注释掉up/down update-resolv-confOpenVPNhome.conf行中的客户端行,这样nameserver就不会在 中插入行/etc/resolve.conf,则按主机名执行 mosh 会恢复正常。我想知道是什么导致 mosh 认为远程主机签名已更改。

# server.ovpn:
port 1194
proto udp
dev tun
ca   home/ca.crt
cert home/server.crt
key  home/server.key  # This file should be kept secret
dh home/dh2048.pem
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist home-ipp.txt
push "route 192.168.2.0 255.255.255.0"
client-config-dir home/ccd
learn-address /etc/openvpn/learn-address.sh
push "dhcp-option DOMAIN home-vpn.net"
push "dhcp-option DNS 192.168.2.1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth home/ta.key 0 # This file is secret
comp-lzo
user vpn
group vpn
persist-key
persist-tun
status openvpn-home-status.log
log         openvpn-home.log
verb 3
up   update-resolv-conf
down update-resolv-conf

相关内容