Keep Your SSH Session ALIVE!!

Most of us have had those days where we have a bunch of windows open, ssh'd into multiple servers.  You get caught up working on one of those servers and forget about your other ssh sessions.  Or, if you are like me, you are using something like screen/tmux and have many sessions going at the same time that you want to keep alive.

Well, with the default ssh setup, there is a setting in your ssh_config file called "ServerAliveInterval".  Initially (at least on my system) it is commented out and also has a value of zero (0).  

In order to keep your sessions alive indefinitely, you will need to uncomment that variable in the ssh_config file and set it to a value other than zero.  I have mine set to 60. 

What this variable does is tell ssh that it needs to send a packet across the wire to the connected server so that there is traffic, keeping the connection active, not letting it time out. 

So, by to keep your sessions alive, you will need to make the changes as above, but also, do not forget that this change will only effect new connections made after you save the change.  If you have active connections, you will need to exit them out and restart them.  If you don't, they will still be subject to the same issue you just corrected.

Go now, keep those connections alive! 

Remove Offending Host Key From known_hosts File

If you are managing a whole mess of servers, you may have occasions where the host key associated with a host or hosts, changes.  This is typically due to re-installation.  None the less, when you attempt to ssh to a host for whom you previously had an entry for in your ~/.ssh/known_hosts file, you will see a message similar to the following

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

Please contact your system administrator.

Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.

Offending key in /home/user/.ssh/known_hosts:811

RSA host key for has changed and you have requested strict checking.

Now, if I were accessing something over the internet via ssh and not on my corporate network, I would definitely need to be suspicious of this message.  You don't want to take chances with your security so always be sure.  But, if you are on your own corporate network and get this, check with your System Administrators, but the machine might have been re-installed.

So, looking at the above output, you will see a lot of information.  Most of it doesn't matter.  What does mater for the sake of removing the key in question is the line that reads:

  Offending key in /home/user/.ssh/known_hosts:811

That line tells you exactly what line in the known_hosts file contains the entry you want to remove.  So, whether you are on Mac, Linux or Unix, this should work just the same. What you want to do is grab that number after the colon above, and run the following command:

  sed -i "811 d" /home/user/.ssh/known_hosts

The -i tells sed to run in interactive mode.  Inside the double quotes you have the line number (grabbed from the output) and then a d (which stands for delete the entry, which it will at the line number you provide).  The only other thing on there is the full path to the known_hosts file.  If your not sure of where it is, it was on the line above the offending key line, in the above output.

Now, you could easily put this into a quick bash script that takes 1 field of input (the line number) and then calls the command as shown.  Either way, I hoped this helps with this common problem.


**Update: Thanks to a comment below from Attila-Mihaly Balazs, for letting me know that you can also use:

  ssh-keygen -f "/home/user/.ssh/known_hosts -R offending-hosts-name

That will remove the entry for the offending host who's key has gone stale, with the added benefit of a back up of the known_hosts file, saved with a .old extension, just before the entries removal.  

If you find you do not need the backup, you can simply delete it.

ssh key validation

Well, the vacation wasn't as long as I feared. It looks like its back, albeit not full force, but I do feel like writing code again. I guess I just needed to take a break.

At work I support an e-commerce system for a major, world-wide bank. When clients are renewing their keys (SSH, PGP, SSL), they must meet certain criteria in order to be accepted and put into the clients setup(s).

One of the more recent criteria changes is the requirement that all keys be of length 2048 or greater. That's easy to verify with SSL and PGP keys, but what about SSH? The group that is verifying the keys does not have access to a system where openssl is installed and thus, is at a loss for SSH key validation. That is where my development bug kicked in again. I quickly whipped up a Perl script that validates the length of the ssh keys and tells them if they are acceptable or not.

After talking with my boss about how to get it to the group that does the official verifications, it was decided that he would try to get funding for a project (internally) to put it up on our intranet so the group can readily access and us it. Quite exciting for me really as I have not had any of my code hosted like that internally at this company and I am loving the idea.

I am just glad that I could so quickly produce a tool for my group to use for the verifications in the mean time. Happy Holidays, everyone!