我有四台 Azure VM 机器正在运行Ubuntu 20.04.3,我会定期关闭它们。昨天我关闭了它们,今天早上我又重新启动了它们。通常这不会出现任何问题。
今天,其中一台机器开始给我带来可怕的信息WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED:
» ssh machine-two
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for machine-two.westeurope.cloudapp.azure.com has changed,
and the key for the corresponding IP address 23.231.121.245
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:lU2tqbkQU+e3l+hymVr+lU2tqbkQUWo3/wXxdT/MGA4.
Please contact your system administrator.
Add correct host key in /home/theuser/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/theuser/.ssh/known_hosts:92
remove with:
ssh-keygen -f "/home/theuser/.ssh/known_hosts" -R "machine-two.westeurope.cloudapp.azure.com"
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-1021-azure x86_64)
我没有重新安装机器——也许我昨天做了系统更新,但肯定没有重新安装。
我看到的是主机密钥确实已更新:
» ls -l /etc/ssh/
total 576
-rw-r--r-- 1 root root 535195 Jul 23 14:55 moduli
-rw-r--r-- 1 root root 1603 Jul 23 14:55 ssh_config
drwxr-xr-x 2 root root 4096 Jul 23 14:55 ssh_config.d
-rw------- 1 root root 1393 Nov 24 04:05 ssh_host_dsa_key
-rw-r--r-- 1 root root 610 Nov 24 04:05 ssh_host_dsa_key.pub
-rw------- 1 root root 513 Nov 24 04:05 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 182 Nov 24 04:05 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Nov 24 04:05 ssh_host_ed25519_key
-rw-r--r-- 1 root root 102 Nov 24 04:05 ssh_host_ed25519_key.pub
-rw------- 1 root root 2610 Nov 24 04:05 ssh_host_rsa_key
-rw-r--r-- 1 root root 574 Nov 24 04:05 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 342 Oct 21 23:45 ssh_import_id
-rw-r--r-- 1 root root 3287 Oct 21 23:46 sshd_config
drwxr-xr-x 2 root root 4096 Oct 22 00:09 sshd_config.d
并且更新时间与启动时间相匹配:
» last -5
azureuse pts/1 216.129.44.18 Wed Nov 24 04:10 still logged in
azureuse pts/0 216.129.44.18 Wed Nov 24 04:10 still logged in
reboot system boot x.yy.0-zzzz-azur Wed Nov 24 04:04 still running
azureuse pts/0 216.129.44.18 Tue Nov 23 08:22 - 23:02 (14:39)
reboot system boot x.yy.0-zzzz-azur Tue Nov 23 03:58 - 23:02 (19:04)
wtmp begins Tue Oct 26 20:19:31 2021
其他机器不受此影响,并且从未受到影响。事实上,这是我第一次看到主机密钥“自发”更改。
为什么重启会更新主机密钥?我还应该验证什么?目前,我正在连接StrictHostKeyChecking no
答案1
运行grep ssh /var/log/cloud-init.log。如果虚拟机的实例 ID 发生变化,cloud-init 显然会重新生成密钥/指纹。此文件似乎有很长的历史记录,因此应该很容易判断它是否发生在您的时间范围内。