whenever a LAST computer is replaced, `ssh` and `network` should be enforced again on all others

[EastEriq]

Because MAC changed. Otherwise, in a way or the other last-asocs or last-asroot run from this or that other computer will fail with messages like

[FAIL] ssh failure (status=255, err="ssh: Could not resolve hostname last08e: Temporary failure in name resolution")

or

[FAIL] ssh failure (status=255)
[FAIL] Error(s):
[FAIL]   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAIL]   @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
[FAIL]   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAIL]   The ECDSA host key for last04w has changed,
[FAIL]   and the key for the corresponding IP address 10.23.1.8
[FAIL]   is unknown. This could either mean that
[FAIL]   DNS SPOOFING is happening or the IP address for the host
[FAIL]   and its host key have changed at the same time.
[FAIL]   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAIL]   @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
[FAIL]   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[FAIL]   IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
[FAIL]   Someone could be eavesdropping on you right now (man-in-the-middle attack)!
[FAIL]   It is also possible that a host key has just been changed.
[FAIL]   The fingerprint for the ECDSA key sent by the remote host is
[FAIL]   SHA256:fnBjbxUP09vmFsgOs65D7l/9mVYsfhE+w6mjfXZ7vqs.
[FAIL]   Please contact your system administrator.
[FAIL]   Add correct host key in /home/ocs/.ssh/known_hosts to get rid of this message.
[FAIL]   Offending ED25519 key in /home/ocs/.ssh/known_hosts:29
[FAIL]   remove with:
[FAIL]   ssh-keygen -f "/home/ocs/.ssh/known_hosts" -R "last04w"
[FAIL]   ECDSA host key for last04w has changed and you have requested strict checking.
[FAIL]   Host key verification failed.

Fortunately we have last-tool sections for that. I find myself still needing to call again and again

sudo last-tool -n enforce network
sudo last-tool -n enforce ssh

whenever I'm on a random computer and try by chance to connect to a computer which has been recently replaced.

Probably we should, as policy, run something

last-asroot -c "last-tool -n enforce network; last-tool -n enforce ssh"

to update all computers, when one is replaced. Arie please advise wro the mechanics.

[blumzi]

last-asroot -c "last-tool -n make ssh" should be sufficient

It uses ssh-keyscan to get the host keys from all the deployed machines

[EastEriq]

Today I still found this one:

ocs@last04w:~$ ping last08e
ping: last08e: Temporary failure in name resolution

while last08e is alive. Running sudo last-tool -n enforce ssh and network both on last08e and last04w didn't change the situation. What to do?

[blumzi]

last-tool -n make hostnamewill re-make /etc/hosts, better check afterwards that the entry for last08e is ok. - ArieOn 8 Oct 2024, at 11:09, EastEriq @.> wrote: Today I still found this one: @.:~$ ping last08e ping: last08e: Temporary failure in name resolution

while last08e is alive. Running sudo last-tool -n enforce ssh and network both on last08e and last04w didn't change the situation. What to do?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

[EastEriq]

Nope, that alone was not sufficient:

ocs@last04w:~$ sudo last-tool -n make hostname
[sudo] password for ocs: 

[SECT] Hostname
[ OK ] Hostname set to last04w
[ OK ] Created a canonical "/etc/hosts" file.
ocs@last04w:~$ ping last08e
ping: last08e: Temporary failure in name resolution
ocs@last04w:~$ ping last08e

In fact /etc/hosts on 04w was missing last08e.

...
10.23.1.11  last06e last11
10.23.1.12  last06w last12
10.23.3.13  last07e last13
10.23.3.14  last07w last14
10.23.1.16  last08w last16
10.23.1.19  last10e last19
10.23.1.20  last10w last20
...

I have now added it manually and now 04w knows 08e, but we should understand what went wrong along the way.