一、问题描述
用Ansible的ping模块测试主机连通性时,第一次ping过主机192.168.18.80,但该主机有点问题,将它下线,换了一台新的替换它,然后再次ping 192.168.18.80时,出现如下所示的错误信息
[root@server ~]# ansible all -m ping192.168.18.80 | UNREACHABLE! => {"changed": false,"msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\nSHA256:zbEO7l6AqnhvNiZvVoy5KcYGHrn10CJw0ul169LeyHU.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending ECDSA key in /root/.ssh/known_hosts:2\r\nPassword authentication is disabled to avoid man-in-the-middle attacks.\r\nKeyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.\r\nroot@192.168.18.80: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).","unreachable": true}
用ssh远程连接时,则出现如下所示错误
[root@server ~]# ssh 192.168.18.80@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the ECDSA key sent by the remote host isSHA256:zbEO7l6AqnhvNiZvVoy5KcYGHrn10CJw0ul169LeyHU.Please contact your system administrator.Add correct host key in /root/.ssh/known_hosts to get rid of this message.Offending ECDSA key in /root/.ssh/known_hosts:2ECDSA host key for 192.168.18.80 has changed and you have requested strict checking.Host key verification failed.
二、问题原因
前后两个错误均提示host key has just been changed和REMOTE HOST IDENTIFICATION HAS CHANGED!
中文意思就是远程主机标识已更改。
SSH远程连接主机的标识默认保存在~/.ssh/known_hosts 中,每次访问时都会到此处对比主机标识是否相同,若不相同,则提示错误或警告,目的是防止中间人攻击。
三、解决办法
删除~/.ssh/known_hosts 中对应IP所在行的信息即可,如下图所示
[root@server ~]# vim ~/.ssh/known_hosts192.168.18.99 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGEsej5rHzUx+GX65oiHKfOqDqFP2OdNhb0i80Hns0b2TObWTQMvscKjaryuh2oZbq+Esekhn98HXDNc30aEjzA=192.168.18.199 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHhaJ4VDE3HxK1AcsHNac4MTjv4IUauTLazQDwgh6lhCIt0qN5Zjj0+rh+isAZYOXdBp4S8K5p/YkTXalmU0CHQ=192.168.18.80 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHKpwuBsqrI1ogpSvLkJKJpKcXIO49sJJH3gJmykHWOp3cqfekCpXIppiEzhKslxgFEmd971DILXrpPguDEQ3UE=