Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   man in the middle attack ? (http://www.linux-archive.org/debian-user/696067-man-middle-attack.html)

Dr Beco 08-20-2012 08:29 PM

man in the middle attack ?
 
Dear linuxers,


Today I registered a lot of students in the class, and 4 hours later I
was in home and got a message one of them could not log in.

So I tried and got this message:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
66:09:66:e3:e1:54:dc:65:e4:a4:74:99:c4:df:3e:ff.
Please contact your system administrator.
Add correct host key in /home/beco/.ssh/known_hosts to get rid of this message.
Offending key in /home/beco/.ssh/known_hosts:1
RSA host key for beco.poli.br has changed and you have requested
strict checking.
Host key verification failed.


What should I do, or where should I look, to understand this problem?

Can I log in with my account remotely to see the problem, or should I
better log in locally?


Thanks,
Beco.


--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2zMFMh1+0cnZsKv+_qducRCGPhmfCQZRWm2Q8zVgnr+z Q@mail.gmail.com">http://lists.debian.org/CALuYw2zMFMh1+0cnZsKv+_qducRCGPhmfCQZRWm2Q8zVgnr+z Q@mail.gmail.com

Ralf Mardorf 08-20-2012 08:43 PM

man in the middle attack ?
 
Hi Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux
Counter #201942,

take an educated guess or ask one of your A.I. thingy to take an
educated guess.

Regards,
Ralf

PS: When I was a child one of my heroes was
http://de.wikipedia.org/wiki/Joseph_Weizenbaum , he still is. Most
teachers are a PITA.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345495397.1285.103.camel@localhost.localdomain

Jochen Spieker 08-20-2012 08:43 PM

man in the middle attack ?
 
Dr Beco:
>
> Today I registered a lot of students in the class, and 4 hours later I
> was in home and got a message one of them could not log in.

Log in where? Is this system administered by you?

> So I tried and got this message:
>
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.

Read this message, it explains exactly what might have happened. Did you
change the host key? Does the DNS name (on the connecting client!) still
point to the correct system? Which host key do you get when you connect?

> Can I log in with my account remotely to see the problem, or should I
> better log in locally?

If you suspect that the system has been tampered with, do not enter any
passwords on this system before taking it offline. If you can log in
using a public key, you can use that safely.

If you do not know why the host key changed, reinstall the system from
scratch or restore from a "good" backup. If you want to try forensics,
keep the old disk and install on a new one.

J.
--
Whenever I hear the word 'art' I reach for my visa card.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>

"Chris" 08-20-2012 08:43 PM

man in the middle attack ?
 
To me, If ou are teaching a linux class (assumed since you are self proclaiming to be a doctor) the I question why you, as a teacher, are not capable of knowing this or how to troubleshoot.

If on the otherhand you are just teaching something on a linux box, then perhaps calling the IT team at the school should be in order.

Again, just asking what seems to be the obvious first.

Sent from my HTC.

----- Reply message -----
From: "Dr Beco" <rcb@beco.cc>
Date: Mon, Aug 20, 2012 3:29 pm
Subject: man in the middle attack ?
To: "Lista Debian User" <debian-user@lists.debian.org>

Dear linuxers,


Today I registered a lot of students in the class, and 4 hours later I
was in home and got a message one of them could not log in.

So I tried and got this message:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ * *WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! * * @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
66:09:66:e3:e1:54:dc:65:e4:a4:74:99:c4:df:3e:ff.
Please contact your system administrator.
Add correct host key in /home/beco/.ssh/known_hosts to get rid of this message.
Offending key in /home/beco/.ssh/known_hosts:1
RSA host key for beco.poli.br has changed and you have requested
strict checking.
Host key verification failed.


What should I do, or where should I look, to understand this problem?

Can I log in with my account remotely to see the problem, or should I
better log in locally?


Thanks,
Beco.


--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CALuYw2zMFMh1+0cnZsKv+_qducRCGPhmfCQZRWm2Q8zVgnr+z Q@mail.gmail.com

Ralf Mardorf 08-20-2012 08:48 PM

man in the middle attack ?
 
On Mon, 2012-08-20 at 22:43 +0200, Ralf Mardorf wrote:
> Hi Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux
> Counter #201942,
>
> take an educated guess or ask one of your A.I. thingy to take an
> educated guess.
>
> Regards,
> Ralf
>
> PS: When I was a child one of my heroes was
> http://de.wikipedia.org/wiki/Joseph_Weizenbaum , he still is. Most
> teachers are a PITA.

PS: "Weizenbaum bezeichnete sich selbst als Dissidenten und Ketzer der
Informatik." I'm, unable to translate this 100% correct. But he was and
for me he still is that way, especially regarding to guys with
signatures similar to "A.I. research, Cognitive Scientist and
Philosopher Linux Counter #201942" Barf!



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345495737.1285.106.camel@localhost.localdomain

Phil Dobbin 08-20-2012 10:49 PM

man in the middle attack ?
 
Dr Beco wrote:


> Today I registered a lot of students in the class, and 4 hours later I
> was in home and got a message one of them could not log in.
>
> So I tried and got this message:
>
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 66:09:66:e3:e1:54:dc:65:e4:a4:74:99:c4:df:3e:ff.
> Please contact your system administrator.
> Add correct host key in /home/beco/.ssh/known_hosts to get rid of this message.
> Offending key in /home/beco/.ssh/known_hosts:1
> RSA host key for beco.poli.br has changed and you have requested
> strict checking.
> Host key verification failed.
>
>
> What should I do, or where should I look, to understand this problem?
>
> Can I log in with my account remotely to see the problem, or should I
> better log in locally?

As has been suggested, if you are not the system administrator of the
system, contact whoever is (it seems to that you are not).

It's usually that just that particular IP address for that machine on
the LAN has been used with a different key before but it could be
something malicious. Best to get hold of your admin ASAP.

I'd like to apologise for the abuse you have suffered at the hands of
certain members of this list. Uncalled for, rude & unhelpful.

Ubuntu is a very similar distro to Debian & you may find it worth your
while to unsubscribe here & subscribe to Ubuntu's list. They are much
more friendly, courteous & helpful.

Cheers,

Phil...

--
currently (ab)using
CentOS 6.3, Debian Squeeze, Fedora Beefy, OS X Snow Leopard, Ubuntu Precise


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 5032BF08.7060205@gmail.com">http://lists.debian.org/5032BF08.7060205@gmail.com

lina 08-21-2012 03:43 AM

man in the middle attack ?
 
On Tuesday 21,August,2012 04:29 AM, Dr Beco wrote:
> Dear linuxers,
>
>
> Today I registered a lot of students in the class, and 4 hours later I
> was in home and got a message one of them could not log in.
>
> So I tried and got this message:
>
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> 66:09:66:e3:e1:54:dc:65:e4:a4:74:99:c4:df:3e:ff.
> Please contact your system administrator.
> Add correct host key in /home/beco/.ssh/known_hosts to get rid of this message.
> Offending key in /home/beco/.ssh/known_hosts:1

I met similar things many times, you may just simply
vim /home/beco/.ssh/known_hosts
delete the line 1 key there, or you may delete all.
and ssh again,

Thanks,

Best regards,
> RSA host key for beco.poli.br has changed and you have requested
> strict checking.
> Host key verification failed.
>
>
> What should I do, or where should I look, to understand this problem?
>
> Can I log in with my account remotely to see the problem, or should I
> better log in locally?
>
>
> Thanks,
> Beco.
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 503303DD.6050406@gmail.com">http://lists.debian.org/503303DD.6050406@gmail.com

Jerome BENOIT 08-21-2012 03:58 AM

man in the middle attack ?
 
http://lackof.org/taggart/hacking/ssh/ -> Don't ignore ssh host key warnings (at the end)

On 21/08/12 05:43, lina wrote:

On Tuesday 21,August,2012 04:29 AM, Dr Beco wrote:

Dear linuxers,


Today I registered a lot of students in the class, and 4 hours later I
was in home and got a message one of them could not log in.

So I tried and got this message:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
66:09:66:e3:e1:54:dc:65:e4:a4:74:99:c4:df:3e:ff.
Please contact your system administrator.
Add correct host key in /home/beco/.ssh/known_hosts to get rid of this message.
Offending key in /home/beco/.ssh/known_hosts:1


I met similar things many times, you may just simply
vim /home/beco/.ssh/known_hosts
delete the line 1 key there, or you may delete all.
and ssh again,

Thanks,

Best regards,

RSA host key for beco.poli.br has changed and you have requested
strict checking.
Host key verification failed.


What should I do, or where should I look, to understand this problem?

Can I log in with my account remotely to see the problem, or should I
better log in locally?


Thanks,
Beco.








--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 50330753.6090306@rezozer.net">http://lists.debian.org/50330753.6090306@rezozer.net

David 08-21-2012 04:02 AM

man in the middle attack ?
 
On 21/08/2012, Phil Dobbin <bukowskiscat@gmail.com> wrote:
>
> I'd like to apologise for the abuse you have suffered at the hands of
> certain members of this list. Uncalled for, rude & unhelpful.

I agree. Attacking strangers might be a brief distraction from a bad
day, or a sad life, but it is not the majority spirit here. Please
ignore.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAMPXz=pK3ePxyUiWidW1uqfr1StxVp_F7+i2fKAPNsUKrRPEZ g@mail.gmail.com

David 08-21-2012 04:13 AM

man in the middle attack ?
 
On 21/08/2012, lina <lina.lastname@gmail.com> wrote:
> On Tuesday 21,August,2012 04:29 AM, Dr Beco wrote:

>> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>> Someone could be eavesdropping on you right now (man-in-the-middle
>> attack)!
>> It is also possible that the RSA host key has just been changed.
>> Please contact your system administrator.
>
> I met similar things many times, you may just simply
> vim /home/beco/.ssh/known_hosts
> delete the line 1 key there, or you may delete all
> and ssh again,

lina's instructions are correct, but they completely bypass the security of ssh.
Follow them only if you do not care about the security of your client
or the server,
and if you do not care about the warnings above. Otherwise, investigate why
the host now has a different security key since last time you accessed it.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAMPXz=oE7-VrzcRqgn1WaoFFRMygUVFz5H+xK9uoDWnsi03pAA@mail.gmai l.com


All times are GMT. The time now is 07:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.