I just tried to ssh from Puma to Gibbon (as root) and got the following:
[root@puma ~] ssh gibbon @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 63:20:c2:e9:53:95:ab:f8:d3:d9:50:76:16:60:cb:06. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /etc/ssh/ssh_known_hosts:23 RSA host key for gibbon has changed and you have requested strict checking. Host key verification failed. [root@puma ~]
Notice that the ssh completely failed, and you have to edit a file (in this case a system file, which ordinary users can’t do) in order to fix the problem. The script /usr/network/scripts/centos6.3-client-part2.script is the script that pushes out the correct ssh keys for a re-installed client. (Maybe we should rename that script?) That needs to be run on tempest, because the sshkeys live on that machine under /root. (They should be protected so that inspired hackers don’t modify them to perpetrate an actual man-in-the-middle attack.)
Note that since “allow-root-connect” works by ssh’ing to the client machine, invoking that command near the beginning of the client-part2 script will fail. So we’ll have to re-think that idea. In any event, I’m going to use the un-modified client-part2 script:
[root@tempest ~] /usr/network/scripts/centos6.3-client-part2.script gibbon Modify known hosts to comment out client pub key delete root's known hosts, to avoid trouble copying ssh keys to client. We *expect* scp to complain, so just say 'yes' The authenticity of host 'gibbon (149.130.136.34)' can't be established. RSA key fingerprint is 63:20:c2:e9:53:95:ab:f8:d3:d9:50:76:16:60:cb:06. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'gibbon,149.130.136.34' (RSA) to the list of known hosts. root@gibbon's password: moduli 100% 130KB 129.7KB/s 00:00 ssh_host_dsa_key 100% 668 0.7KB/s 00:00 ssh_host_dsa_key.pub 100% 590 0.6KB/s 00:01 ssh_host_key 100% 963 0.9KB/s 00:00 ssh_host_key.pub 100% 627 0.6KB/s 00:00 ssh_host_rsa_key 100% 1675 1.6KB/s 00:00 ssh_host_rsa_key.pub 100% 382 0.4KB/s 00:00 restoring known hosts files delete root's known hosts file after accepting key root@gibbon's password: Stopping sshd: [ OK ] Starting sshd: [ OK ] Unmounting NFS filesystems: [ OK ] Mounting NFS filesystems: [ OK ] Mounting other filesystems: [ OK ] root@gibbon's password: [root@tempest ~]
Okay, that’s normal behavior. Now, we should be able to ssh to gibbon:
[root@tempest ~] ssh gibbon root@gibbon's password: [root@gibbon ~]
Good, but we don’t want to be asked for a password, so one last step:
[root@tempest ~] allow-root-connect gibbon root@gibbon's password: mkdir: cannot create directory `.ssh': File exists root@gibbon's password: [root@tempest ~]
And make sure that worked:
[root@tempest ~] ssh gibbon Last login: Wed Sep 26 10:42:35 2012 from tempest.wellesley.edu [root@gibbon ~]
Good! We’re done. I’ve modified the client part2 script to run allow-root-connect at the end. We’ll have to type the client root password three times in all. I don’t see any way to improve that, but you’re welcome to try.
