Bug ID 680790: BIG-IQ prompts you to accept a previously-accepted signature

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IQ Platform(all modules)

Known Affected Versions:
5.1.0, 5.2.0, 5.3.0

Opened: Aug 29, 2017
Severity: 2-Critical

Symptoms

BIG-IQ systems configured in a high availability (HA) pair prompt you to accept a previously-accepted signature when you log in to a BIG-IP device through the command line.

Impact

When you log in to a BIG-IP device through the command line using ssh-keygen -R causes the original symlink to be renamed to known_hosts.old and a new file known_hosts file copied and created from the old. This breaks the link to the /shared partition, so upon upgrade, those entries are lost.

Conditions

BIG-IQ is used to ssh into other devices from the BIG-IQ root command line.

Workaround

For BIG-IQ version 5.2 and 5.3: 1. Disassociate the BIG-IQ systems in the high availability (HA) pair. 2. Recover signatures by copying /shared/ssh/root/known_hosts to /root/.ssh/known_hosts. 3. Re-establish the high availability (HA) pair. To avoid this issue when you upgrade to BIG-IQ version 5.4, preserve the accepted host signatures by copying /root/.ssh/known_hosts to /shared/ssh/root/known_hosts.

Fix Information

None

Behavior Change