這個目錄會包含:id_rsa(本機私鑰) ,id_rsa.pub(本機公鑰) ,known_hosts,authorized_keys ## 1. known_hosts ssh會把你每個你訪問過計算機的公鑰(public key)都記錄在自己~/.ssh/known_hosts,**也就是說這個文件存放的是別人的公鑰**. 當下次訪問相同計算機時，OpenSSH會核對公鑰。如果公鑰不同，OpenSSH會發出警告， 避免你受到DNS Hijack之類的攻擊。 有時候需要SSH登陸到別的Linux主機上去，但有時候SSH登陸會被禁止，并彈出如下類似提示： ``` @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.The fingerprint for the RSA key sent by the remote host is36:68:a6:e6:43:34:6b:82:d7:f4:df:1f:c2:e7:37:cc .Please contact your system administrator.Add correct host key in /u/xlian008/.ssh/known_hosts to get rid of this message.Offending key in /u/xlian008/.ssh/known_hosts:2RSA host key for 135.1.35.130 has changed and you have requested strict checking.Host key verification failed. ``` ### 1.1 問題處理 #### 1.1.1 直接刪除文件 rm -rf ~/.ssh/known_hosts ++++++++++++++++++ 優點：干凈利索 缺點：把其他正確的公鑰信息也刪除，下次鏈接要全部重新經過認證 #### 1.1.2 只刪除對應ip的公鑰信息 vi ~/.ssh/known_hosts 刪除對應ip的相關rsa信息（本例可知刪除53行信息即可） ++++++++++++++++++ 優點：其他正確的公鑰信息保留 缺點：還要vi，還要找到對應信息，稍微優點繁瑣 #### 1.1.3 清除舊的公鑰信息 ssh-keygen -R 192.168.56.12 優點：快、穩、狠 缺點：沒有缺點 ``` root@ubuntu02:~/.ssh# cat known_hosts |1|stafc+a5GvOvErjqMaoyAqq3d0o=|/JmKTswazxvKn4Sm/pIh8XRApDE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIpePogNjnLvOCG9TiB2CN/t4ElLRT+nsQ3crQvSsiShQUEeTT2AWQ3w5IERnxObzu9x8AFeKLYUxGKE6H8Vd+M= root@ubuntu02:~/.ssh# root@ubuntu02:~/.ssh# root@ubuntu02:~/.ssh# root@ubuntu02:~/.ssh# root@ubuntu02:~/.ssh# ssh-keygen -R 192.168.56.12 # Host 192.168.56.12 found: line 1 type ECDSA /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old root@ubuntu02:~/.ssh# cat known_hosts # 沒有le ``` 此時,再去ssh到 ``` root@ubuntu02:~/.ssh# ssh 192.168.56.12 The authenticity of host '192.168.56.12 (192.168.56.12)' can't be established. ECDSA key fingerprint is 23:c8:3f:eb:59:1f:a7:3c:b8:26:0c:f9:14:d3:3c:54. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.12' (ECDSA) to the list of known hosts. Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Wed Nov 28 13:49:57 CST 2018 System load: 0.0 Processes: 101 Usage of /: 18.7% of 8.73GB Users logged in: 1 Memory usage: 7% IP address for eth0: 10.0.2.15 Swap usage: 0% IP address for eth1: 192.168.56.12 Graph this data and manage this system at: https://landscape.canonical.com/ New release '16.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Wed Nov 28 13:49:57 2018 from 192.168.56.11 root@ubuntu03:~# logout Connection to 192.168.56.12 closed. root@ubuntu02:~/.ssh# cat known_hosts |1|pnWOoZwi7vzWCvk+CEL3syEgjn4=|HIKt7r+IpzvhGn7AG+graSJ3Hto= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIpePogNjnLvOCG9TiB2CN/t4ElLRT+nsQ3crQvSsiShQUEeTT2AWQ3w5IERnxObzu9x8AFeKLYUxGKE6H8Vd+M= ```