重複使用 ElasticIP 會遇到的問題及解法Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.

當重複使用 ElasticIP 時,你會遇到一個問題,因為先前在用註冊好的 ElasticIP(以下簡稱EIP)會記錄在 /var/root/.ssh/known_hosts 裡,並加上 remote server 的 ECDSA key 作為 fingerprint,並在每次登入的時候進行比對.

當你升級 EC2 時,因為是換一台機器,既便EIP不變,機器的 ECDSA key也會改變,這時機器進行比對時,便會發生錯誤,並送出以下錯誤訊息

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:TaLV4Siymlcd63/kO1hgDEDaaWalclYBwbHLxK4UvrE.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /var/root/.ssh/known_hosts:9
ECDSA host key for 13.113.48.222 has changed and you have requested strict checking.
Host key verification failed.
  • Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
    這段是在跟你說錯誤的發生的位址,大意是說 EIP 機器送出的 ECDSA key,跟 /var/root/.ssh/known_hosts 紀錄的不同,請輸入正確的 ECDSA key.

Solution:

從錯誤的說明可以知道,解法不外乎就是把 EIP 的 fingerprint 修正為目前機器的 ECDSA key,或是幹脆直接把 EIP 移除,下次登入的時候就會自動加入並且加上目前機器的 ECDSA key,以下的做法是後者

$ ssh-keygen -f '/var/root/.ssh/known_hosts' -R host
ssh-keygen 
-f 'path of your known_hosts file'
-R hostname that went wrong
  • 如果不使用 -f ,預設會是在 ~/.ssh/known_hosts,不是錯誤發生的位址,即便清除 EIP ,也不能修正這個問題

reference:

鳥哥的遠端連線伺服器SSH / XDMCP / VNC / RDP
Add correct host key in /root/.ssh/known_hosts to get rid of this message- DigitalOcean

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.