-
Title
"Man-in-the-middle attack" and "host key verification failed" errors sometimes occurs when connecting via SSH -
Description
When connecting through an SSH connection policy, the user will sometimes receive error messages stating that host key verification failed, or a potential man-in-the-middle attack.
-
Cause
A DNS load-balancer is routing SSH connections between different SPS appliances using the one hostname and redirecting to different IP addresses.
The first connection will add the host key associated to the hostname to the known_hosts file and and the connection will succeed.
A subsequent connection when routed through a different appliance will fail if the client side host key offerings are not the same from every applicable appliance and connection policy.
-
Resolution
1. Create a new SSH host key to be used on all of the SPS appliances and connection policies. The most common way is to use the CLI command ssh-keygen or application PuTTYgen. Make sure to use the proper algorithm and bit-size as required by company policy.
2. Upload this new private key to the setting "SSH Control > Connections — Client side host key settings" to the necessary connection policies on the Central Management node. The change should be replicated to Managed Hosts automatically soon after.
3. Remove the old entry for the hostname from the known_hosts file and accept the new expected one.
-
Additional Information
To delete a key for a specific host in the known_hosts file use the command: 'ssh-keygen -R hostname'
If the host key does not automatically replicate to Managed Hosts then manually add it via the web UIs of the Managed Hosts.