SFTP - Error With Known_Hosts

Discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
fred
Posts: 1
Joined: Tue Jul 06, 2021 8:31 am

SFTP - Error With Known_Hosts

Post by fred »

We're trying to implement a new batch SFTP and having an issue with the server entry in Known_Hosts. The issue is the host name used GOXSF100 resolves to a number of servers that are round robin. First time works fine and the servefr key is added to Known_hosts. When we connect the second time the IP address doesn't match the entry in Known_Hosts and we see:



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ FOTS1308 WARNING: POSSIBLE DNS SPOOFING DETECTED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

The ECDSA host key for goxsf100 has changed,

and the key for the corresponding IP address 10.110.3.171

is unknown. This could either mean that

DNS SPOOFING is happening or the IP address for the host

and its host key have changed at the same time.

FOTS1326 Password authentication is disabled to avoid man-in-the-middle attacks.

FOTS1306 Keyboard-interactive authentication is disabled to avoid man-in-the-mid

FOTS1373 fplnt\\zzzcheck@goxsf100: Permission denied (publickey,password,keyboar

Ý07:18:12.614868¨ Connection closed





The last couple of messages indicate that password authentication is disabled and is BTW the way we are trying to authenticate. If we switch to using certificates would that resolve this known_hosts issue?? Seems to work between my laptop and Z/OS but dont know if that's always the case.

Thanks!!
Fred
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: SFTP - Error With Known_Hosts

Post by dovetail »

Note: this is an issue with IBM z/OS OpenSSH, and not Co:Z SFTP.

If you have a round-robin IP address that resolves to multiple SSH servers, you will need to have those virtual servers use the same SSH server host keys, otherwise the ssh client with have this issue.
Post Reply