Can Ssh from droplet but not locally

October 29, 2018 498 views
Linux Commands CentOS

What I’ve done:

  1. I rebuilt my droplet using the same key.
  2. Setup my server following this https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-7

What I’m trying to do:
I’m trying to log in locally using ssh user@xxx.xxx.xxx.xxx

The problem:
i get this error

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

just for the sake of trying i used sudo and got this error

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /var/root/.ssh/known_hosts:1
ECDSA host key for xxx.xxx.xxx.xxx has changed and you have requested strict checking.
Host key verification failed.

Ive tried:

My console sshd_config file has

PermitRootLogin yes

PasswordAuthentication yes -just noticed theres two in the file both uncommented

#PubkeyAuthentication yes

Locally its the same as above but just one PasswordAuthentication yes

my authorized keys has the key listed
i can’t run ssh-copy-id so i did it manually
this is the error i get when i do so

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: " ~/.ssh/id_rsa.pub"
The authenticity of host ' ' can't be established.
Are you sure you want to continue connecting (yes/no)? no
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
The authenticity of host ' ' can't be established.
ECDSA key fingerprint is 
Are you sure you want to continue connecting (yes/no)? no
/usr/bin/ssh-copy-id: ERROR: Host key verification failed.
ssh-keygen -R user@xxx.xxx.xxx.xxx

doesn’t work either, this is ther error i get

Host user@xxx.xxx.xxx.xxx not found in ~/.ssh/known_hosts

if anyone can help it would appreciate it very much as this is frustrating

1 Answer

When you login to a server for the first time with ssh-keys it will ask you if you want to fingerprint that server and if you say yes, which you normally do without blinking, it will add that server to your known_hosts file.

This fingerprinting is to ensure that the server you “think” you are logging into is the actual server you logged into.

When you rebuilt the server it now has a new “fingerprint” but the one for your old server is still stored. So when you try to login, those two items don’t match and as a security measure it alerts you and immediately logs you out.

The line to pay attention to is:

Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /var/root/.ssh/known_hosts:1

All you have to do is edit your /var/root/.ssh/known_hosts file and remove the first line in that file. Then attempt to login in again, answer yes at the prompt, a new fingerprint will be created and you will be able to login to the server.

Have another answer? Share your knowledge.