| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||||||
Solution Type Problem Resolution Sure Solution 2136371.1 : Oracle ZFS Storage Appliance: After Appliance Firmware Release Upgrade, SFTP Clients report Host Keys have Changed
In this Document
Created from <SR 3-12574297876> Applies to:Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]Oracle ZFS Storage Appliance Racked System ZS4-4 - Version All Versions to All Versions [Release All Releases] Oracle ZFS Storage ZS3-4 - Version All Versions to All Versions [Release All Releases] Oracle ZFS Storage ZS3-BA - Version All Versions to All Versions [Release All Releases] Oracle ZFS Storage ZS4-4 - Version All Versions to All Versions [Release All Releases] 7000 Appliance OS (Fishworks) SymptomsSTFP clients cannot login using previous host keys. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is a0:b1:c2:d3::e4:0a:1b:2c:3d:4e:2a:b3:4c:d5:6e. Please contact your system administrator. Add correct host key in /export/home/<user>/.ssh/known_hosts to get rid of this message. Offending key in /export/home/<user>/.ssh/known_hosts:1 . RSA host key for <zfs_storage_applance> has changed and you have requested strict checking. Host key verification failed. Couldn't read packet: Error 0
ChangesZFS Storage Appliance upgraded to 2013.1.4.0 (OS8.4.0)
CauseImprovements in certificate and key management introduced in OS8.4.0 may trigger certificate or key warnings after upgrade when accessing the appliance using any protocol that uses certificates or keys. Reference the Oracle ZFS Storage Appliance 2013.1.4.0 - RELEASE NOTES found in Oracle ZFS Storage Appliance: Software Updates (Doc ID 2021771.1)
SolutionManually accept a new key on the first access to the appliance from each SFTP client application.
AlternativeIf you prefer to use the previous SFTP host key, which will require all SSH host keys to be updated on the clients instead of the SFTP host keys, open a service request referencing this document.
To use the SFTP key for the shared host key instead of the SSH key: Backup the current shared host key. zfssa# cp /etc/ssh/ssh_host_rsa_key /var/tmp/
Copy the pre 8.4.0 SFTP key to overwrite the post 8.4.0 shared key. zfssa# mount -o remount,rw /
zfssa# cp /etc/svc/ssl/httpd.key /etc/ssh/ssh_host_rsa_key zfssa# mount -o remount,ro / Restart the SFTP and SSH services. zfssa# svcadm restart svc:/network/sftp:default
zfssa# svcadm restart svc:/network/ssh:default Confirm the SFTP keys work: client$ sftp -o "port=218" user@zfssa:/export/sharename
Connecting to zfssa... Changing to: /export/sharename sftp> quit
If a customer has encountered this issue, it is also likely the customer has encountered Bug 20395112 which effects the client keys Oracle ZFS Storage Appliance: On Upgrade to 2013.1.3.0, SSH/SFTP keys are not carried forward during upgrade (Doc ID 1960657.1) References<BUG:19348280> - SWITCHING BETWEEN SSH AND SFTP YIELDS WARNINGS<BUG:20395112> - /VAR/AK/KEYSTORES/SFTP/*/SSH_AUTHORIZED_KEYS ARE NOT SAVED DURING UPGRADE <BUG:23169728> - APPLIANCE SFTP HOST KEY REJECTED AS CHANGED AFTER OS UPDATE <BUG:15575332> - SUNBT6859836 WANT SHARED SSH HOST KEYS IN CLUSTERS <NOTE:1194226.1> - Oracle Shared Shell <NOTE:1532902.1> - How to Associate My MOS Account to Tracker CSI to Access the SR Lists <NOTE:2021771.1> - Oracle ZFS Storage Appliance: Software Updates <NOTE:1960657.1> - Oracle ZFS Storage Appliance: On Upgrade to 2013.1.3.0, SSH/SFTP keys are not carried forward during upgrade <BUG:20395112> - /VAR/AK/KEYSTORES/SFTP/*/SSH_AUTHORIZED_KEYS ARE NOT SAVED DURING UPGRADE Attachments This solution has no attachment |
||||||||||||||||||||||
|
||||||||||||||||||||||