简介
本文档介绍解决SSH主机密钥验证失败问题的过程。
背景
当用户在升级DNACenter映像后尝试通过SSH连接到DNACenter的网关时,会发生此错误。到目前为止,此问题只出现在macOS用户中。
描述
将DNACenter升级到新映像后,本地用户的SSH密钥注册表文件会保留用于连接到以前的DNACenter的梯形内部版本的SSH密钥。这是错误:
MPAVLOVI-M-902T:~ mpavlovi$ ssh grapevine@172.16.21.86 -p 2222
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:+dnn+NRIXTDMmgpUNbeqdjDQscabBBWmC35F01ZFnLs.
Please contact your system administrator.
Add correct host key in /Users/mpavlovi/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/mpavlovi/.ssh/known_hosts:16
ECDSA host key for [172.16.21.86]:2222 has changed and you have requested strict checking.
Host key verification failed.
MPAVLOVI-M-902T:~ mpavlovi$
解决方案
要解决此问题,需要从本地目录~/.ssh/处的注册表文件known_host中删除以前的格雷夫因SSH密钥。
要删除之前的SSH密钥,请转到终端并使用您选择的文本编辑器打开文件:
MPAVLOVI-M-902T:~ mpavlovi$ vim ~/.ssh/known_hosts
继续删除其中包含DNACenter IP地址的行
[10.197.218.12]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkToWAUheuqt876tDOrWwDSH5HbL0TLMw5MAsOsLqCnb3jRn5oxIJn2yECB1HPamglO/m79o2W8mAGAjypyFkw=
[172.16.21.86]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKz4ObQLQE7VEHZLOYL0t6k8aqbvFGIFDXsVaTguchsSNyGScFa6PLJKCZj/S7YIultUTYH94NZv4pCl509svvk=
注意:修改其他密钥可能会影响您对其他设备/站点的SSH访问。仅删除必要的SSH密钥。
[10.197.218.12]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkToWAUheuqt876tDOrWwDSH5HbL0TLMw5MAsOsLqCnb3jRn5oxIJn2yECB1HPamglO/m79o2W8mAGAjypyFkw=
将更改保存在文本编辑器中,并重试通过SSH连接到DNACenter grapevine。出现提示时,键入单词“yes”。
MPAVLOVI-M-902T:~ mpavlovi$ ssh grapevine@172.16.21.86 -p 2222
The authenticity of host '[172.16.21.86]:2222 ([172.16.21.86]:2222)' can't be established.
ECDSA key fingerprint is SHA256:+dnn+NRIXTDMmgpUNbeqdjDQscabBBWmC35F01ZFnLs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.21.86]:2222' (ECDSA) to the list of known hosts.
使用grapevine凭据密码。
grapevine@172.16.21.86's password:
Welcome to the Cisco APIC-EM Appliance - Powered by Grapevine
System information as of Wed Jul 19 22:20:17 UTC 2017
System load: 1.02 Users logged in: 1
Usage of /: 11.7% of 365.80GB IP address for eth0: 12.99.1.2
Memory usage: 41% IP address for eth1: 172.16.21.86
Swap usage: 0% IP address for grape-br0: 169.254.0.1
Processes: 695
APIC-EM Version: 2.0.0.3757
Grapevine Version: 2.0.0.3757.dev1065-ge50d0c2
Last login: Wed Jul 19 21:45:22 2017 from 10.41.49.41
(grapevine)
[Wed Jul 19 22:20:18 UTC] grapevine@12.99.1.2 (grapevine-root-1) ~
$