Discussion:
[Fab-user] Need debugging advice for host key error
Waldbieser, Carl
2014-12-10 18:20:01 UTC
Permalink
Use fabric to retrieve a bunch of files from a set of hosts each day.
However, one host started giving me the following error:

Fatal error: Host key for $MYHOST did not match pre-existing key! Server's key was changed recently, or possible man-in-the-middle attack.
Underlying exception:
('$MYHOST', <paramiko.rsakey.RSAKey object at 0x13e36d0>, <paramiko.rsakey.RSAKey object at 0x13e5490>)

(I changed the actual host name to $MYHOST).

I thought an admin had just re-IP'd the host. But I could ssh to it without a warning-- how strange.
I removed the entry from my known_hosts file anyway. I verified I could shell in. Then I ran fabric and got the same result.
I can get the result by executing something as simple as:

$ fab -H "$MYHOST" -- ls

The following short paramiko script seems to work, though:

#! /usr/bin/env python

import paramiko.client

c = paramiko.client.SSHClient()
c.load_system_host_keys()
c.connect("ldap6")
t = c.exec_command("ls")
print t[1].read()
c.close()

So I am not exactly sure where to look next. Has anyone run into this puzzling behavior?

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
Waldbieser, Carl
2014-12-10 18:22:32 UTC
Permalink
I suppose I should note the versions I am using:

Fabric==1.10.0
paramiko==1.15.1
pycrypto==2.6.1

Thanks,
Carl

----- Original Message -----
From: "Carl Waldbieser" <***@lafayette.edu>
To: "fab-user" <fab-***@nongnu.org>
Sent: Wednesday, December 10, 2014 1:20:01 PM
Subject: Need debugging advice for host key error


Use fabric to retrieve a bunch of files from a set of hosts each day.
However, one host started giving me the following error:

Fatal error: Host key for $MYHOST did not match pre-existing key! Server's key was changed recently, or possible man-in-the-middle attack.
Underlying exception:
('$MYHOST', <paramiko.rsakey.RSAKey object at 0x13e36d0>, <paramiko.rsakey.RSAKey object at 0x13e5490>)

(I changed the actual host name to $MYHOST).

I thought an admin had just re-IP'd the host. But I could ssh to it without a warning-- how strange.
I removed the entry from my known_hosts file anyway. I verified I could shell in. Then I ran fabric and got the same result.
I can get the result by executing something as simple as:

$ fab -H "$MYHOST" -- ls

The following short paramiko script seems to work, though:

#! /usr/bin/env python

import paramiko.client

c = paramiko.client.SSHClient()
c.load_system_host_keys()
c.connect("ldap6")
t = c.exec_command("ls")
print t[1].read()
c.close()

So I am not exactly sure where to look next. Has anyone run into this puzzling behavior?

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
Ben Abrams
2014-12-10 18:33:42 UTC
Permalink
Carl,

Did someone regenerate the host key fingerprint? While its trivial to
ignore it does open you up for a man in the middle. I would verify that
everything is good before doing anything like this. Here is some
documentation on ssh behavior with fabric:
http://docs.fabfile.org/en/latest/usage/ssh.html

You have several options:
1. Fix your (or whatever user fab is running as) .ssh/known_hosts to not
have the conflict (ie delete the offending key)
2. Change .ssh/config for host (list of hosts to use something like
StrictHostKeyChecking=no or UserKnownHostsFile=/dev/null)
3. You could also do this by modifying the behavior of fabric to not care
by setting env.disable_known_hosts=True

Hope this helps you
Post by Waldbieser, Carl
Use fabric to retrieve a bunch of files from a set of hosts each day.
Fatal error: Host key for $MYHOST did not match pre-existing key!
Server's key was changed recently, or possible man-in-the-middle attack.
('$MYHOST', <paramiko.rsakey.RSAKey object at 0x13e36d0>,
<paramiko.rsakey.RSAKey object at 0x13e5490>)
(I changed the actual host name to $MYHOST).
I thought an admin had just re-IP'd the host. But I could ssh to it
without a warning-- how strange.
I removed the entry from my known_hosts file anyway. I verified I could
shell in. Then I ran fabric and got the same result.
$ fab -H "$MYHOST" -- ls
#! /usr/bin/env python
import paramiko.client
c = paramiko.client.SSHClient()
c.load_system_host_keys()
c.connect("ldap6")
t = c.exec_command("ls")
print t[1].read()
c.close()
So I am not exactly sure where to look next. Has anyone run into this puzzling behavior?
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user
--
Ben Abrams
Computer Consultant
702-900-7926
benabrams.it
***@benabrams.it
Waldbieser, Carl
2014-12-10 19:05:16 UTC
Permalink
I think I understand why this happened.
Recently, the connectivity to 2 of the hosts ($HOST_A and $HOST_B) changed so that they needed to be accessed via a gateway.
So in my `fabfile.py`, I added:

env.gateway = $GATEWAY_HOST

This works fine for the 2 affected hosts. The 3rd host was in my ~/.ssh/known_hosts, though, and the fingerprint did not match because of the gateway.
When I deleted the entry, I shelled in to test the connection, but that put the key back in know_hosts.

Thanks,
Carl

----- Original Message -----
From: "Ben Abrams" <***@benabrams.it>
To: "Carl Waldbieser" <***@lafayette.edu>
Cc: "fab-user" <fab-***@nongnu.org>
Sent: Wednesday, December 10, 2014 1:33:42 PM
Subject: Re: [Fab-user] Need debugging advice for host key error

Carl,

Did someone regenerate the host key fingerprint? While its trivial to
ignore it does open you up for a man in the middle. I would verify that
everything is good before doing anything like this. Here is some
documentation on ssh behavior with fabric:
http://docs.fabfile.org/en/latest/usage/ssh.html

You have several options:
1. Fix your (or whatever user fab is running as) .ssh/known_hosts to not
have the conflict (ie delete the offending key)
2. Change .ssh/config for host (list of hosts to use something like
StrictHostKeyChecking=no or UserKnownHostsFile=/dev/null)
3. You could also do this by modifying the behavior of fabric to not care
by setting env.disable_known_hosts=True

Hope this helps you
Post by Waldbieser, Carl
Use fabric to retrieve a bunch of files from a set of hosts each day.
Fatal error: Host key for $MYHOST did not match pre-existing key!
Server's key was changed recently, or possible man-in-the-middle attack.
('$MYHOST', <paramiko.rsakey.RSAKey object at 0x13e36d0>,
<paramiko.rsakey.RSAKey object at 0x13e5490>)
(I changed the actual host name to $MYHOST).
I thought an admin had just re-IP'd the host. But I could ssh to it
without a warning-- how strange.
I removed the entry from my known_hosts file anyway. I verified I could
shell in. Then I ran fabric and got the same result.
$ fab -H "$MYHOST" -- ls
#! /usr/bin/env python
import paramiko.client
c = paramiko.client.SSHClient()
c.load_system_host_keys()
c.connect("ldap6")
t = c.exec_command("ls")
print t[1].read()
c.close()
So I am not exactly sure where to look next. Has anyone run into this puzzling behavior?
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
_______________________________________________
Fab-user mailing list
https://lists.nongnu.org/mailman/listinfo/fab-user
--
Ben Abrams
Computer Consultant
702-900-7926
benabrams.it
***@benabrams.it
Loading...