This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
todd
Contributor
‎2022-06-23 11:00 PM

m command jump between gateway and MHO

Hi,

When I using "m" command to jump from mho to gateway, it shows permission deny.

And when I sing "m" command to jump from gateway to gateway, it shows some waring.

Is there any action that I can correct this ?

Thanks!

[Expert@MHO-140-1:0]# m 1 1
Moving to member 1 in security group 1 (198.51.101.1)
This system is for authorized use only.
admin@198.51.101.1: Permission denied (publickey).

 

[Expert@FW-ch01-01:0]# m 2
Moving to member 1_2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256: message-deleted           .
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/admin/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
This system is for authorized use only.
Last login: Thu Jun 2 15:36:51 2022 from 192.0.2.1

 

 

0 Kudos
8 Replies
Daniel_Szydelko
Contributor
‎2022-06-24 12:20 AM

Hi,

From MHO -> SecGrp - try to check on MHO /home/admin/.ssh/known_hosts and delete RSA fingerprint for relevant CIN IP (in this case 198.51.101.1), then try again m 1 1 cmd from MHO.

For jumping between members - then I saw similar issue but for 40k/60k - sk116472. I don't if we have similar case there.

Did you aplly any changes to stuck in such state? What is the software / JHF version?

BR

Daniel.

0 Kudos
todd
Contributor
‎2022-06-24 01:04 AM
In response to Daniel_Szydelko

I tried to delete the home/admin/.ssh/known_hosts and create an empty known_hosts. But there is no luck, it is still shows "Permission denied (publickey)".

This is new installed MHO and still being configured.

MHO-140 version is R81.10 take 55.

 

Todd

 

 

 

0 Kudos
Daniel_Szydelko
Contributor
‎2022-06-24 03:04 AM
In response to todd

Weird. Maybe something happen with sshd config on SecGrp. Do you have any other SecGrp running just to compare?

BR

Daniel

0 Kudos
todd
Contributor
‎2022-06-24 06:04 AM
In response to Daniel_Szydelko

We only have one SecGrp. 

MHO-140 version is R81.10 take 55 but the Gateway version is R81.10 take 30. Could this be the reason?

 

Thanks,

Todd

0 Kudos
Daniel_Szydelko
Contributor
‎2022-06-24 07:24 AM
In response to todd

It shouldn't be an issue but if it's bug then who knows. It's not working from beginning or something was changed before issue occurred?

BR

Daniel.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-24 11:27 AM

It sounds like /home/admin/.ssh/authorized_keys on the gateways is missing the appropriate key from the MHO.
Not sure if there is a more clever way to resolve this than adding the contents of /home/admin/.ssh/id_rsa.pub from the MHO to each gateway manually.

0 Kudos
todd
Contributor
‎2022-06-28 07:37 PM
In response to PhoneBoy

Thank you all.

We restricted "Host Access" in Gaia  System Management and forgot to add 198.51.101.0/24 to the allowed network. This denies access from MHO's m command.

Todd

0 Kudos
Daniel_Szydelko
Contributor
‎2022-06-28 11:40 PM
In response to todd

Thanks for feedback. It explains such behavior.

Br

Daniel

0 Kudos
 
Upcoming Maestro Events

    CheckMates Events ≫