Centos7下ssh主机host key频繁提示已变更问题排查

统计项目服务器状态时发现一台异常主机，无法进行ssh远程操作，报错如下：

[root@localhost ~]# ssh 10.48.52.11
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:TorcIEYp6CXAIK2YNKW6pmD60X4FZKfXooQlCCIXhDY.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:6
ECDSA host key for 10.48.52.11 has changed and you have requested strict checking.
Host key verification failed.

排查思路

移除历史指纹

[root@localhost ~]# ssh-keygen -R 10.48.52.11
# Host 10.48.52.11 found: line 6
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old

观察SSH指纹变化

多次ssh访问服务器，发现ssh sha256及md5发生变化。

[root@localhost ~]# ssh 10.48.52.11
The authenticity of host '10.48.52.11 (10.48.52.11)' can't be established.
ECDSA key fingerprint is SHA256:sFBkqIc1Bqxl0HPUA9CYIFpvHjQjpjf4LKzG9FLNU+4.
ECDSA key fingerprint is MD5:fb:ab:e9:ac:5d:0b:1c:ea:82:08:63:28:9c:b6:ea:59.
Are you sure you want to continue connecting (yes/no)? ^C
[root@localhost ~]# ssh 10.48.52.11
The authenticity of host '10.48.52.11 (10.48.52.11)' can't be established.
ECDSA key fingerprint is SHA256:TorcIEYp6CXAIK2YNKW6pmD60X4FZKfXooQlCCIXhDY.
ECDSA key fingerprint is MD5:1b:db:9f:91:4c:6f:5d:e7:06:4e:97:7c:32:22:66:82.
Are you sure you want to continue connecting (yes/no)? ^C

查看服务器SSH指纹

通过命令观察服务器host key指纹

[root@localhost ssh]# ssh-keygen -E sha256 -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 SHA256:TorcIEYp6CXAIK2YNKW6pmD60X4FZKfXooQlCCIXhDY no comment (ECDSA)
[root@localhost ssh]# ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 MD5:1b:db:9f:91:4c:6f:5d:e7:06:4e:97:7c:32:22:66:82 no comment (ECDSA)

获取服务器公钥指纹

[root@localhost ~]# ssh-keyscan -t ECDSA -p 22 10.48.52.11 2>/dev/null | ssh-keygen -E sha256 -lf -
256 SHA256:sFBkqIc1Bqxl0HPUA9CYIFpvHjQjpjf4LKzG9FLNU+4 10.48.52.11 (ECDSA)
[root@localhost ~]# ssh-keyscan -t ECDSA -p 22 10.48.52.11 2>/dev/null | ssh-keygen -E md5 -lf -
256 MD5:fb:ab:e9:ac:5d:0b:1c:ea:82:08:63:28:9c:b6:ea:59 10.48.52.11 (ECDSA)

综合上述操作，判断服务器IP被抢占，导致服务器SSH公钥频繁变换。抢占服务器更换其他IP地址即可解决。