SSH Settings
This page covers additional SSH configuration options needed to overcome errors encountered when connecting to some platforms.
Warning: Remote Host Identification Has Changed
When connecting to a device via SSH, Linux stores a fingerprint of the remote device. If this fingerprint changes, the user will be shown a warning and prevented from connecting. This is an important security feature when connecting to a remote server, but when connecting to an embedded system this check will often fail on each reboot. This is because many embedded devices are configured to use non-persistent root filesystems.
An example of the warning message is shown below:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:7NqoKGxzndzm9Yjnu5GY/DW5e0y4UXZckC8j4veAsO8.
Please contact your system administrator.
Add correct host key in /home/opencpi/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/opencpi/.ssh/known_hosts:1
RSA host key for 10.0.2.2 has changed and you have requested strict checking.
Host key verification failed.
Temporary Fix
A simple workaround to this issue is to just delete or edit the known_hosts
file that is storing the incorrect key for the remote system.
On the development host (the machine that you are connecting to the embedded device from), run one of the following commands:
# Either edit the file and delete just the line that
# starts with the IP address of the embedded device
nano ~/.ssh/known_hosts
# OR delete the whole file (not recommended)
rm -f ~/.ssh/known_hosts
Use ssh to connect to the remote device. The warning should no longer be seen. It is necessary to repeat this process each time the embedded device is rebooted.
Permanent Fix
To prevent the need to clear the known_hosts
file on each reboot, StrictHostKeyChecking
can be disabled for the embedded device.
On the development host (the machine that you are connecting to the embedded device from), run the following command:
Add the lines below to the configuration file, making sure to replace the IP address with the IP address of the embedded system you are connecting to.Note
You can use a host of *
to disable StrictHostKeyChecking
for all remote devices. This is not recommended.
Warning: No matching host key type found
When using newer Linux distributions to connect to older embedded systems, it is common to find that the key types supported by the embedded system are no longer allowed by the SSH client. The following warning is shown:
To solve this, on the development host (the machine that you are connecting to the embedded device from), run the following command:
Add the lines below to the configuration file, making sure to replace the IP address with the IP address of the embedded system you are connecting to.
Note
You can use a host of *
to update the supported algorithms for all remote devices. This is not recommended.