|
SSH into the server from the client prompts 'REMOTE HOST IDENTIFICATION HAS CHANGED' every hour as below:
[user@hostname ~]$ ssh root@fortinet
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6e:48:f9:a8:af:37:3d:a1:a5:c7:56:1d:02:f8:67:00.
Please contact your system administrator.
Add correct host key in /home/hostname /.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/lib/ssh/known_hosts:10
RSA host key for fortinet has changed and you have requested strict checking.
Host key verification failed.
WAD debugs on the FortiGate would show the keys as untrusted which results in an error being prompted every hour:
[I]2023-07-25 16:52:06.700628 [p:15623][s:2235956574] wad_ssh_auth_proxy_validate_hostkey:1475 Server host key: ECDSA fingerprint: SHA256:NHgtRHJtwmAnEHZyDdhcHBdk9SGLhpjskaIuS7tOP/8
[I]2023-07-25 16:52:06.700631 [p:15623][s:2235956574] wad_ssh_stream_set_hostkey_status :881 c2p hostkey untrusted, bypass
[I]2023-07-25 16:52:06.700656 [p:15623][s:2235956574] wad_ssh_intf_set_server_hostkey :690 c2p server hostkey untrusted
- When a hostkey is trusted and signed by a CA, SSH proxy re-signs the appropriate type of hostkey using a trusted CA.
- When a host is trusted but not signed, the SSH proxy sends back the appropriate type of hostkey.
- When a hostkey is untrusted and signed by a CA, the SSH proxy re-signs a temporary hostkey (1 hour lifetime) using an untrused CA.
- When a host is trusted but not signed, the SSH proxy sends back a temporary hostkey (one hour lifetime).
Clearing the known hosts' files will resolve the issue. However, it is necessary to add the server as a trusted host on FortiGate and import the hostkey.
As an illustration, LinuxMint is used as a server, and the below step shows how to check the key on the server:
LinuxMint ~ # ssh-keyscan -t ecdsa 172.31.121.100
# 172.31.121.100:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubunbtu2.10
172.31.121.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPeFZVTbWO5+6cdhymt7J5WSVqqX4mBh+MdvPy5XJpjB/uYTMpKbkj4aA6Fn0GudDKf1Cre9uzxzg7o8KL22Wtk=
config firewall ssh host-key
edit "sshhostkey"
set type ECDSA
set ip 172.31.121.100 <--- IP of Server
set public-key "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPeFZVTbWO5+6cdhymt7J5WSVqqX4mBh+MdvPy5XJpjB/uYTMpKbkj4aA6Fn0GudDKf1Cre9uzxzg7o8KL22Wtk=" <----- Public Key of server.
next
end
Now to update the fingerprint, clear the known host file on the client and initiate SSH to the server.
Post changes wad debugs would show the keys as trusted:
[I]2023-07-28 11:53:57.829723 [p:15623][s:2278497196] wad_ssh_stream_set_hostkey_status :887 c2p hostkey trusted, pass
[I]2023-07-28 11:53:57.829725 [p:15623][s:2278497196] wad_ssh_intf_set_server_hostkey :690 c2p server hostkey trusted
|
