Legitimate reason for SSH key to change?

Discussion in 'Server Operation' started by tfunky, May 21, 2008.

  1. tfunky

    tfunky New Member

    I hope this isn't a stupid question, but I'm looking for a sanity check here.

    There is no legitimate reason for a SSH key to change is there?

    I have an application server that I keep getting disconnected from after a few seconds (sometime as few as 10 seconds, sometimes as long as 90 seconds...it's random)

    When I reconnect with Putty I'm warned that the key has changed...over and over and over.

    This machine isn't accessible from the outside world with the exception that the webapplication is loaded from a page on my primary web server via mod-proxy.

    Both machines are in the dmz, and I'm on the inside network.

    I haven't been in this box in several weeks prior to tonight, but it DID work just fine the last time I was in it.

    I thought that the only reason for a key to change is an IP address change (which hasn't occured) or a man-in-the-middle attack.

    The Man-in-the-middle attack seems to be a bit like a long shot with the box not actually being accessible from the outside world and only accessible via proxy...but it's not out of the realm of possibility.

    Are there other ways/things that can cause a ssh key to be changing all the time?

    I've tried uninstalling openssh-server, rm -rfv /etc/ssh , apt-get update, apt-get upgrade, apt-get install openssh-server in case the SSH software itself was corrupted, but I still have the same issue.

    Anyone have any ideas/suggestions?


  2. falko

    falko Super Moderator ISPConfig Developer

    I think you should check your server with rkhunter and chkrootkit to find out if there's malware installed.
  3. tfunky

    tfunky New Member

    just in case you need a REALLY good laugh at my expense....I tracked the problem down...

    The server I was connecting to was a vmware image...

    I had that same image booted up on 3 different servers.


    Once I had the 2 shut down that shouldn't have been running the problem cleared right up.

    Long story short, duplicate IP addresses can cause this problem :rolleyes:

Share This Page