I rolled out a new /etc/ssh/sshd_config
with Puppet on an Ubuntu 12.04 test server. The config was exactly the same as the previous config, except it had removed the following line:
HostKey /etc/ssh/ssh_host_ecdsa_key
I noticed I was getting a lot of similar but varying errors trying to connect to the box starting then, such as: "The RSA host key for %hostname% has changed, and the key for the corresponding IP address %ipaddress% is unchanged."
I assumed this was because my computer was previously using the ECDSA key by default and that was unavailable now. So I added that line back to sshd_config
and restarted SSH.
It did not resolve the issue entirely, and I am running into constant problems ever since then. I'll be able to connect to the server just fine several times, maybe even for several days in a row. Then all of a sudden I start getting errors that the host key has changed and the server stops accepting my public key for authentication.
It always seems that once I mess around with it for a little while and connect from a different location, I will suddenly be able to connect with my public key again and I no longer get the error about a possible man-in-the-middle attack.
I tried regenerating all 3 host keys several days ago (removed them and ran dpkg-reconfigure openssh-server
which regenerated them). As expected I had to remove the old keys and accept the new ones before I could connect. I thought maybe it was fixed then, but the problem is now back.
Nothing has modified any of the host keys in /etc/ssh/
since I regenerated them last--so what could possibly cause me to frequently not be able to connect, have my public key not work, then eventually accept the new key and have things start working fine again for a while?
When things are not working (when I get the error about the host key changing, and then the server stops accepting my public key), nothing is written to the server's /var/log/auth.log
. This leads me to think that maybe it's somehow hitting a different machine sometimes, but I don't know how that's possible either as the DNS entry is correct and always returns the same IP address.