DCO > Knowledge Base

If the public key is placed in an authorization file, then ssh will try to match the public key available in the file to the private key stored in your home's .ssh directory. If they match, you login without a password. If they do not match, you are prompted for a password (but if you give a passphrase, you will be asked for that).

To enable this, place the contents of the file ~user/.ssh/id_rsa.pub on the originating machine into a file on the destination machine called ~user/.ssh/known_hosts

Security & Machine fingerprints

The known_hosts file is the global host key database. Each machine is issued a key pair (using ssh-keygen), and when you log into that machine and accept the fingerprint of the public key presented to you then the machine's public key is stored in your personal known_hosts file.

If there is no information on a host in your known_hosts file, then you will get this message on logging in:

% ssh hostname
The authenticity of host 'hostname (141.213.XX.XXX)' can't be established.
RSA key fingerprint is e9:30:2a:42:c1:73:44:6a:c9:05:ef:4f:6b:42:c5:6c.
Are you sure you want to continue connecting (yes/no)?

 
Host key verification failed.

and the session will not continue.

If you notice a mismatch between the listed fingerprint and the login offered fingerprint, please email help@eecs.umich.edu immediately.

If there is a mismatch between the machine fingerprint in your known_hosts file and the machine offered fingerprint, then you will get this message when you try to login:

% ssh hostname
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for hostname has changed,
and the key for the according IP address 141.213.XX.XXX
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
6c:c1:ac:ad:77:c4:33:6e:d5:d5:3a:ce:52:60:19:26.
Please contact your system administrator.
Add correct host key in ~user/.ssh/known_hosts to get rid of this message.
Offending key in ~user/.ssh/known_hosts:1
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

You need to check the current machine fingerprints at this site, and verify that the fingerprints match what is being offered while logging in. If they do match, then the fingerprint has been changed, and you need to remove the old fingerprint from your known_hosts file using an editor. Then, you can login again, answering "yes" when it asks if you want to continue.

Do you need further assistance? We're here to help. Give us a call, send an email, or just stop by one of our offices.