How to fix Host key verification failed error on linux servers

When you connect to a server for the first time, the server prompts you to confirm that you are connected to the correct system. 

The following example uses the ssh command to connect to a remote host named redhat007:

[root@redhat001:~]# ssh user02@redhat007

The authenticity of host 'redhat007 (192.168.1.24)' can’t be

established. ECDSA key fingerprint is ...

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'redhat007,192.168.1.24' (ECDSA) to the list of known hosts.

The command checks to make sure that you are connecting to the host that you think you are connecting to. 

When you enter yes, the client appends the server’s public host key to the user’s ~/.ssh/known_hosts file and creating the ~/.ssh directory if necessary.

Next time when you connect to the remote server, the client compares this key to the one the server supplies. If the keys match, you are not asked if you want to continue connecting.

If someone tries to trick you into logging in to their machine so that they can sniff your SSH session, you will receive a warning similar to the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

22:cf:23:31:7a:5d:93:13:1s:99:23:c2:5k:19:2a:1c.

Please contact your system administrator.

Add correct host key in /home/readhat001/.ssh/known_hosts to get rid of this message.

Offending key in /home/redhat001/.ssh/known_hosts:7

RSA host key for redhat007 has changed and you have requested strict checking.

Host key verification failed.

To resolve above error, we have two different method.

1. Remove old key manually:

Normally key is stored ~/.ssh/known_hosts file

If root wants to ssh to the server, just removing entry in the /root/.ssh/known_hosts file is all right.

If user01 wants to ssh to the server, then remove the entry in the file /home/user01/.ssh/known_hosts.

I will remove the the key  for the destination server redhat007 from the file /home/user02/.ssh/known_hosts.

# vi /home/user02/.ssh/known_hosts

redhat003 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLrY91bQOihgFZQ2Ay9KiBG0rg51/YxJAK7dvAIopRaWzFEEis3fQJiYZNLzLgQtlz6pIe2tj9m/Za33W6WirN8=

redhat005 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=

redhat007 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCrY/m16MdFt/Ym51Cc7kxZW3R2pcHV1jlOclv6sXix1UhMuPdtoboj+b7+NLlTcjfrUccL+1bkg8EblYucymeU=

2. Removing old key using the ssh-keygen command

[root@redhat001:~]# ssh-keygen -R [hostname|IP address]

[root@redhat001:~]# ssh-keygen -R redhat007

Now once you remove the entry, please login again

[root@redhat001:~]# ssh user02@redhat007

[root@redhat001:~]# ssh user02@redhat007

The authenticity of host 'redhat007 (redhat007)' can't be established.

ECDSA key fingerprint is SHA256:V+iGp3gwSlnpbtYv4Niq6tcMMSZivSnYWQIaJnUvHb4.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'redhat007' (ECDSA) to the list of known hosts.

How to Create a Link Aggregation – Bonding on Solaris

A link aggregation consists of several interfaces on a system that are configured together as a single, logical unit. Link aggregation, also referred to as trunking

Basically link aggregation is like a bonding on server. Its work in active and passive mode. At a time one network device are up and other bonding device are in stand by mode.

Requirements for Link Aggregations:-

1. Your link aggregation configuration is bound by the following requirements:

2. You must use the dladm command to configure aggregations.

3. An interface that has been plumbed cannot become a member of an aggregation.

4. Interfaces must be of the GLDv3 type: xge, e1000g, and bge.

5. All interfaces in the aggregation must run at the same speed and in full-duplex mode.

If the solaris box matches these above requirement, after that we can only able to create a link aggregation.

How to create a link aggregation in Solaris operating system:-

1. As a root user please login on the solaris operating system so you have full administrative role to perform the action.

2. Determine which interfaces are currently installed on your system.

For this work you need to run the below command.

#dladm show-link

The above command show you the which interfaces are currently installed on your system.

#dladm show-link

ce0             type: legacy    mtu: 1500       device: ce0

ce1             type: legacy    mtu: 1500       device: ce1

bge0            type: non-vlan  mtu: 1500       device: bge0

bge1            type: non-vlan  mtu: 1500       device: bge1

As per link aggregation requirement, we can only use the interface which start from bge etc. here the device bge0, bge1 are currently installed on the server.

3. In this step now determine which interfaces have been plumbed. for this please run the below command.

#ifconfig -a

lo0: flags=2001000322 <UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1

        inet 127.0.0.1 netmask ff000000 

ce0: flags=1000420 <UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

        inet 192.168.1.43 netmask ffffff00 broadcast 192.168.1.255

        ether 0:4:7c:8:92:7d 

4. Now create a link aggregation using below command

#dladm create-aggr -d bge0 -d bge1 1

here 1 is the key number which identify the link aggreation , and it is lowest number.

5. now configure & plumb the newly created aggregation. Please use the below command to do this.

#ifconfig aggr1 plumb 192.168.1.56 up

6. To check the status of the aggregation you just created, please run the below command.

#dladm show-aggr

key: 1 (0x0001) policy: L4      address: 0:4:7c:8:92:7d (auto)

device   address           speed         duplex  link    state

bge0     0:4:7c:9:87:4e    1000  Mbps    full    up      attached

bge1     0:4:7c:9:32:9e    0     Mbps    unknown down    standby

7. For link aggregations with IPv4 addresses, create an /etc/hostname.aggrkey file.

#vi /etc/hostname.aggr1

92.168.1.56

8. perform a reboot.

#reboot -- -r

How to check Operating Systems Version is 64-bit or 32-Bit in AIX and Solaris

In this post, you can see how we will check the operating system is 32 bit or 64 bit. Normally when we download any software on Unix platform they have dependency regarding the operating system version. So after following my this post you can easily get the information about the operating system version information.
When you work on Unix operating system then you must know the version of operating system. Because without getting exact version of OS, you can not install the packages on the Linux system.

Here, I mentioned the command and their output using these commands you can easily found the version of operating system. It is 32 bit or 64 bit.

Linux Operating System:

#uname –a
Linux vibhor 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

#uname  -m
x86_64

If the output has "x86_64",the environment is 64 bit.

Solaris Operating System:

#isainfo options

-v         Prints detailed information about the other options
-b         Prints the number of bits in the address space of the native instruction set.
-n         Prints the name of the native instruction set used by portable applications supported by the current version of the OS.
-k         Prints the name of the instruction set or sets that are used by the OS kernel components such as device drivers and STREAMS modules.

[vibhor]# isainfo -v

64-bit sparcv9 applications
        ima fmaf vis2 vis popc
32-bit sparc applications
        ima fmaf vis2 vis popc v8plus div32 mul32

[vibhor]# isainfo -b
64

[vibhor]#isainfo
sparcv9 sparc

The output for the above command should be sparcv9 sparc for a 64-bit operating System.

AIX Operating System:

vibhor:/> getconf -a | grep KERN
KERNEL_BITMODE:                         64

vibhor:/> bootinfo -y
64

The output of the above command should be 64 for a 64-bit hardware. The command must be executed as root.

Note: on AIX, the -y option will specify if the hardware is 32- or 64-bit mode while bootinfo -k will specify if the kernel is 32- or 64-bit (this command must be run as root).

HP-UX Operating system:
         
 hpx:/> getconf KERNEL_BITS
 64
         
The output of the above command should be 64 for a 64-bit operating system.

How to Set a Solaris 11 Machine's NIS Domain Name

If domainname command not showing any output then you need to check either defaultdomain or NIS domain is configured or not.

Steps which we need to follow to set the NIS domain name as describe below.

1. Please run  "cat /etc/defaultdomain" command and check the output that domain is set or not.

    #domainname

The above command shows you the current domain name on the server, if no output is display you need to set the domain by below command.

   #domainname UNIX

Run the below command to check the output again.

   #domainname

   UNIX

You can see the output. All the above command is used for checking and setting the domain name on the Solaris operating server.

2. If you want to set the domain using NIS, then first please check the NIS/DOMAIN service is running or not

root@sun:~# svcs status nis/domain

STATE          STIME    FMRI

disabled       18:20:04 svc:/network/nis/domain:default

In my Solaris machine, currently NIS domain services is stop, we will start it later once we will configured the NIS domain name on the Solaris server.

3. Now you need to configure the NIS domain for your machine ( in my case - UNIX is my domain name)

root@sun:~# svccfg -s svc:/network/nis/domain setprop config/domainname = UNIX

If you see the above command, "svccfg" command is used to configure the domain and set the proper properties.

4. In the final step once the configuration has been completed you need to refresh & enable the NIS domain service again.

root@sun:~# svccfg -s nis/domain:default refresh

root@sun:~# svcadm enable nis/domain

You can check the NIS domain service status as describe in step 2. 

5. Now you can verify the domain name using below command so we can ensure that the NIS domain name has been set successfully. 

root@sun:~# domainname

UNIX

The above command output show "UNIX" domain name which we set during the configuration, so using these above method we can easily set the NIS domain name on the Solaris operating server.

How to start/stop and enable/disable Firewall on Redhat 7 Linux system

In RHEL7, to stop/start and enable/disable the firewall is quite different from RHEL6. In Red hat 7 "firewalld" named service we used for local firewall. Please find the below example step by step to check the firewall status.

How to check status of RHEL7 firewall:

[root@localhost ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active: active (running) since Thu 2018-02-05 12:37:47 IST; 0 months 1 days ago

Main PID: 332 (firewalld)

CGroup: /system.slice/firewalld.service
           └─332 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 05 12:37:47 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 05 12:37:49 localhost systemd[1]: Started firewalld - dynamic firewall daemon.

In the above status firewall is by default enable on the linux system. It is enable automatically when system restart or on.

How to Stop and Start RHEL7 firewall:

 

Please use the below commands to start stop the firewall on redhat linux 7 operating system. 

[root@localhost ~]# service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service
Stopped firewall will start again after system's reboot.

[root@localhost ~]# service firewalld start
Redirecting to /bin/systemctl start  firewalld.service

How to Disable and Enable RHEL7 firewall:

If you want to disable permanently firewall so that after reboot it is not enable again, please use the below command.

[root@localhost ~]# systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'

If you want to enable the firewall again run please use the below command.

[root@localhost ~]# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.se

Multipath command with an examples

In linux operating system device mapping through multipath is widely used. Here, we can give you some example how we will use the multipath commands in Linux server

➤ Normally multipath device has a Word Wide Identifier (WWID), which is globally unique and unchanging.

➤ When new devices are brought under the control of DM-Multipath, the new devices may be seen in three different places under the /dev directory: /dev/mapper/mpathn, /dev/mpath/mpathn, and /dev/dm-n

➤ The devices in /dev/mapper are created early in the boot process. Use these devices to access the multipathed devices, for example when creating logical volumes.
The devices in /dev/mpath are provided as a convenience so that all multipathed devices can be seen in one directory. These devices are created by the udev device manager and may not be available on startup when the system needs to access them.

Note: Do not use these devices for creating logical volumes or filesystems

➤ Any devices of the form /dev/dm-n are for internal use only and should never be used.

Please find the multipath syntax which we used in the Linux operating system.


l    -> Display the current multipath configuration gathered from sysfs and the device mapper.

ll  -> Display the current multipath configuration gathered from sysfs, the device mapper, and all other available components on the system.

f    -> Remove the named multipath device.

F   -> Remove all unused multipath devices.

v   ->  Verbosity level
          . 0 no output
          . 1 print created devmap names only
          . 2 default verbosity
          . 3 print debug information

d   -> Dry run, do not create or update devmaps

r    -> Force devmap reload

⧪ How to display the current multipath configuration with all information.

[root@localhost~]# multipath -ll
Dec 21 11:27:17 | multipath.conf line 35, invalid keyword: selector
mpathf (3600c0ff00019e9e9dc94c25801000000) dm-6 HP,MSA 2040 SAN
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='round-robin 0' prio=70 status=active
  |- 1:0:0:4 sdg 8:96 active ready running
  |- 2:0:0:4 sdj 8:144 active ready running
  |- 1:0:1:4 sdq 65:0 active ready running
  `- 2:0:1:4 sdt 65:48 active ready running

⧪ How to remove multipath devices with multipath Command

[root@localhost~]# multipath -f mpathf

Note: if we use -F option then it is remove all unused devices.

⧪ How to Force reload device map with multipath Command

[root@localhost~]# multipath -r

Solaris Server process Monitoring tool- prstat

We have different type of tools and command which are used in Solaris or other Unix system to monitor the system process. But if we are talking about only Sun Solaris server then we have very good process tool which is called "prstat".

In this post, we will find that how prstat is work on the Solaris platform.

⇾   !-[solaris]# prstat

When you run the above command on the command line you will get the below output on the CLI screen which are refreshing in every few seconds and sorting all the information regarding the system resource.

  PID USERNAME  SIZE   RSS STATE  PRI NICE      TIME  CPU PROCESS/NLWP

 21322 root      11M 3236K cpu0    59    0   0:00:00 0.0% prstat/1

 21323 root      18M 4788K sleep   59    0   0:00:00 0.0% sshd/1

 22345 root      10M 2188K sleep   59    0   0:00:00 0.0% bash/1

   584 root       13M 3832K sleep   59    0   0:01:59 0.0% nscd/51

   154 root       13M 2068K sleep   59    0   0:00:00 0.0% syseventd/18

   183 root     1772K  776K sleep   59    0   0:00:13 0.0% utmpd/1

   538 root       11M 2572K sleep   59    0   0:00:00 0.0% picld/4

Total: 12 processes, 31 lwps, load averages: 0.00, 0.00, 0.00


This is a quick view of the prstat command but if you wanted to get a different view of the same info, like a summary of what users own these CPU consuming processes

⇾   !-[solaris]# prstat -a

If you run prstat with the -a option (prstat -a) you will get an output similar to the default one, but the last few lines of it will be used for providing a really useful report of the users consuming top system resources.


  PID USERNAME  SIZE   RSS STATE  PRI NICE      TIME  CPU PROCESS/NLWP

 21322 root      11M 3236K cpu0    59    0   0:00:00 0.0% prstat/1

 21323 root      18M 4788K sleep   59    0   0:00:00 0.0% sshd/1

 22345 root      10M 2188K sleep   59    0   0:00:00 0.0% bash/1


 NPROC USERNAME  SWAP   RSS MEMORY      TIME  CPU

     5 root      52M   13M   1.3%   0:00:00 0.0%

    50 root      841M  571M    56%   0:22:22 0.0%

     2 daemon     17M 4520K   0.4%   0:00:04 0.0%

Total: 12 processes, 31 lwps, load averages: 0.00, 0.00, 0.00

We have different type of syntax which we can used to monitor the Solaris server process which are listed below.

!-[solaris]# prstat -L  -> This shows thread per line instead of one process per line
!-[solaris]# prstat -s -> prstat output can be sorted using set of sub-options .sub options are                  cpu,pri,rss,size,time 

!-[solaris]# prstat -t  -> It provides complete users resource utilization.
!-[solaris]# prstat -Z  -> It provides summary per local zone.

How to change a disk in SVM Solaris volume manager

In this post, I will take my sparc server machine. My Sun Sparc server consist 2 hard disk, let us assume the server has 2 hard disk: c0t0d0 and c0t1d0. We will assume c0t0d0 failed and need to be replaced.

Step by Step Method as described below:

1. In the initial step, we will find that which hard disk is down or faulty. To check this we will used "format" command.

!-[solaris]## format
       0. c0t0d0 <__drive type unknown__>
          /pci@0,600000/pci@0/pci@8/pci@0/scsi@1/sd@0,0
       1. c0t1d0 <SUN146G cyl 14087 alt 2 hd 24 sec 848>
          /pci@0,600000/pci@0/pci@8/pci@0/scsi@1/sd@1,0

If you see the "format" command output, we have two disk "c0t0d0,c0t1d0". Disk "c0t0d0" is in faulty state and it's down, You can see the drive type is in unknown state.

2. If you are running the "metastat" command you can see the status of hard disk which is show status in "need maintenance".

!-[solaris]## metastat    # will show status in "need maintenance"

        flags           first blk       block count
     a        u         16              8192            /dev/dsk/c0t0d0s7
     a        u         8208            8192            /dev/dsk/c0t0d0s7
     a    p  luo        16              8192            /dev/dsk/c0t1d0s7
     a    p  luo        8208            8192            /dev/dsk/c0t1d0s7

!-[solaris]## metadb -d c0t0d0s7
!-[solaris]## metadb

Using above command we delete metadb on failing disk and check that metadb on the other disk.

4. Now, we will unconfigure the corresponding disk which is down right now. This is the main step of this post so you can more careful while running the command which is given below.

!-[solaris]## cfgadm -al
!-[solaris]## cfgadm -f -c unconfigure c0::dsk/c0t0d0
!-[solaris]## cfgadm -al

Using cfgadm command we will unconfigure the c0t0d0 faulty hard disk so that we will replace the down hard disk in next step.

5. Now you can change the faulty disk to new one and reconfigure it again with same name.

!-[solaris]## cfgadm -c configure c0::dsk/c0t0d0
!-[solaris]## cfgadm -al

6. In this steo we will duplicate partitionning schema of first disk to the second and create metadb.

!-[solaris]## prtvtoc /dev/rdsk/c0t1d0s2 | fmthard -s - /dev/rdsk/c0t0d0s2
!-[solaris]## metadb -a -f -c2 /dev/dsk/c0t0d0s7

7. In second last step you will run all the below command for replacement of the failinf SVM partition.

!-[solaris]## metastat
!-[solaris]## metareplace -ef d4 c0t0d0s4
!-[solaris]## metareplace -ef d3 c0t0d0s3
!-[solaris]## metareplace -ef d1 c0t0d0s1
!-[solaris]## metareplace -ef d0 c0t0d0s0
!-[solaris]## metareplace -ef d5 c0t0d0s5
!-[solaris]## metareplace -ef d6 c0t0d0s6
!-[solaris]## metasync d0
!-[solaris]## metasync d1
!-[solaris]## metasync d3
!-[solaris]## metasync d4
!-[solaris]## metasync d5
!-[solaris]## metasync d6
!-[solaris]## metasync d7

8. In final step you need to make the disk bootable so that operating system will be boot on the mirror disk.

!-[solaris]## installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c0t0d0s0

Using this step you can make a disk bootable. I hope this post is useful for you. You are requested to please comment on the post if you have any issue, I will try to back you with my answer.

Solaris zone: error: net0: failed to create VNIC: operation not supported

In this post, I will discuss with you one of the most interesting error which I am facing when I boot the local zone on Solaris 11.3. The description of this interesting issue as describe below.

Description of error:

!-[solaris]# zoneadm -z sun01 boot

zone 'sun01': error: net0: failed to create VNIC: operation not supported

zoneadm: zone sun01: call to zoneadmd(1M) failed: zoneadmd(1M

I have try to create and configure the  VNIC on Solaris 11.3 operating server but it get failed with the same error.

!-[solaris]#dladm create-vnic -l net0 vnic01

dladm: vnic creation failed: operation not supported

If you are also facing a such error while booting the local zone on solaris 11 server, then please use the below solution to resolve such issues.

Solution of error:

➥ This error "failed to create VNIC: operation not supported" would normally come when there are not enough mac addresses to assign to the zone. So now we need to add alternate mac addresses to the network interface.So before adding the new mac address we will stop LDM.

!-[solaris]#ldm list-domain

NAME            STATE     FLAGS  CONS   VCPU MEMORY  UTIL NORM UPTIME

primary         active    -n-cv- UART   8    8G      2.0% 2.0% 41d 20h 14m

0004fb0000060000ff1d3d8336112f6f active    -n---- 5001   50   64G     0.1% 0.1% 18h 23m

➥ Now log in to the Solaris global zone and check if net0 have additional MAC addresses or not. Please use the below command to check the status.

!-[solaris]# dladm show-phys -m

LINK               SLOT    ADDRESS           INUSE CLIENT

net0               primary 0:21:f6:d6:d3:e5  yes  net0

                   1       0:14:4f:f9:6d:8d  no   --

                   2       0:14:4f:fb:10:2b  no   --

                   3       0:14:4f:f9:41:d6  no   --

                   4       0:14:4f:f8:dd:c8  no   --

net1               primary 0:21:f6:51:be:4d  yes  net1

➥ Now zone will start without any issue, as we have assigned the new mac address to this zone.

!-[solaris]# zoneadm -z sun01 start

Please let me know if you are facing any issue regarding this error.