Bureaucrats, cc_docs_admin, cc_staff
2,879
edits
SSH security improvements: Difference between revisions
Marked this version for translation
(remove Draft tag) |
(Marked this version for translation) |
||
| Line 3: | Line 3: | ||
<translate> | <translate> | ||
=SSH Changes (Summer 2019)= | =SSH Changes (Summer 2019)= <!--T:1--> | ||
<!--T:2--> | |||
With constant increase in computing power over time, some encryption algorithms | With constant increase in computing power over time, some encryption algorithms | ||
and protocols which were reasonably secure ten or fifteen years ago can no longer be used without an unacceptable risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies and practices regarding [[SSH]], the tool used to verify the identity of clusters and users to one another. Some users may have to update their SSH client software, some may have to generate a new public/private key-pair, and everyone will have to update the local copy of the "host key" which is used to identify each Compute Canada cluster. | and protocols which were reasonably secure ten or fifteen years ago can no longer be used without an unacceptable risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies and practices regarding [[SSH]], the tool used to verify the identity of clusters and users to one another. Some users may have to update their SSH client software, some may have to generate a new public/private key-pair, and everyone will have to update the local copy of the "host key" which is used to identify each Compute Canada cluster. | ||
== What is changing? == | == What is changing? == <!--T:3--> | ||
<!--T:4--> | |||
During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters. We will: | During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters. We will: | ||
<!--T:5--> | |||
# Disable certain encryption algorithms. | # Disable certain encryption algorithms. | ||
# Disable certain public key types. | # Disable certain public key types. | ||
# Regenerate the cluster's host keys. | # Regenerate the cluster's host keys. | ||
<!--T:6--> | |||
If you do not understand the significance of "encryption algoriithms", "public keys", or "host keys", do not be alarmed. Simply follow the steps outlined below. | If you do not understand the significance of "encryption algoriithms", "public keys", or "host keys", do not be alarmed. Simply follow the steps outlined below. | ||
== Updating your client's known host list == | == Updating your client's known host list == <!--T:7--> | ||
<!--T:8--> | |||
The first time you login to a Compute Canada cluster after the changes, you will probably see the following warning message: | The first time you login to a Compute Canada cluster after the changes, you will probably see the following warning message: | ||
<!--T:9--> | |||
<pre> | <pre> | ||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
| Line 39: | Line 45: | ||
</pre> | </pre> | ||
<!--T:10--> | |||
This warning is displayed because the host keys on the cluster (in this case [[Graham]]) were changed, and your SSH client software remembers the old host keys. (It does this to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].) | This warning is displayed because the host keys on the cluster (in this case [[Graham]]) were changed, and your SSH client software remembers the old host keys. (It does this to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].) | ||
<!--T:11--> | |||
You may also get a warning regarding "DNS spoofing", which is related to the same change. | You may also get a warning regarding "DNS spoofing", which is related to the same change. | ||
=== MobaXterm, PuTTY, or WinSCP === | === MobaXterm, PuTTY, or WinSCP === <!--T:12--> | ||
<!--T:13--> | |||
If you are using MobaXterm, PuTTY, or WinSCP as your ssh (or scp) client under Windows, the warning will appear in a pop-up window and will allow you to accept the new host key by clicking "Yes". '''Only click yes if the fingerprint matches one of the fingerprints listed below''' in the section [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | If you are using MobaXterm, PuTTY, or WinSCP as your ssh (or scp) client under Windows, the warning will appear in a pop-up window and will allow you to accept the new host key by clicking "Yes". '''Only click yes if the fingerprint matches one of the fingerprints listed below''' in the section [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | ||
=== macOS, Linux, GitBash or Cygwin === | === macOS, Linux, GitBash or Cygwin === <!--T:14--> | ||
<!--T:15--> | |||
If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands: | If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands: | ||
ssh-keygen -R graham.computecanada.ca | <!--T:16--> | ||
ssh-keygen -R graham.computecanada.ca | |||
ssh-keygen -R cedar.computecanada.ca | ssh-keygen -R cedar.computecanada.ca | ||
ssh-keygen -R beluga.computecanada.ca | ssh-keygen -R beluga.computecanada.ca | ||
<!--T:17--> | |||
Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.: | Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.: | ||
$ ssh graham.computecanada.ca | <!--T:18--> | ||
$ ssh graham.computecanada.ca | |||
The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established. | The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established. | ||
ED25519 key fingerprint is SHA256:mf1jJ3ndpXhpo0k38xVxjH8Kjtq3o1+ZtTVbeM0xeCk. | ED25519 key fingerprint is SHA256:mf1jJ3ndpXhpo0k38xVxjH8Kjtq3o1+ZtTVbeM0xeCk. | ||
| Line 63: | Line 76: | ||
Are you sure you want to continue connecting (yes/no)? | Are you sure you want to continue connecting (yes/no)? | ||
<!--T:19--> | |||
'''Only type yes if the fingerprint matches one of the fingerprints listed below''' in the section [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | '''Only type yes if the fingerprint matches one of the fingerprints listed below''' in the section [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | ||
== Troubleshooting == | == Troubleshooting == <!--T:20--> | ||
=== My SSH key no longer works === | === My SSH key no longer works === <!--T:21--> | ||
<!--T:22--> | |||
If you're being asked for a password, but were using SSH keys previously on the same system, | If you're being asked for a password, but were using SSH keys previously on the same system, | ||
it's likely because 1024-bit DSA & RSA keys have been disabled. | it's likely because 1024-bit DSA & RSA keys have been disabled. | ||
<!--T:23--> | |||
You need to generate a new stronger key. The process for doing this depends on the operating system you use, either [[Generating SSH keys in Windows|Windows]] or [[Using SSH keys in Linux|Linux/macOS]]. Those instructions also describe how to add your client's new public key to the remote host, so that you can authenticate with the key rather than needing to provide a password. | You need to generate a new stronger key. The process for doing this depends on the operating system you use, either [[Generating SSH keys in Windows|Windows]] or [[Using SSH keys in Linux|Linux/macOS]]. Those instructions also describe how to add your client's new public key to the remote host, so that you can authenticate with the key rather than needing to provide a password. | ||
=== I can't connect! === | === I can't connect! === <!--T:24--> | ||
<!--T:25--> | |||
If you see one of the following error messages: | If you see one of the following error messages: | ||
Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | <!--T:26--> | ||
Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | |||
Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | ||
Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | ||
<!--T:27--> | |||
you need to upgrade your SSH client to one of the compatible clients shown below. | you need to upgrade your SSH client to one of the compatible clients shown below. | ||
=== Which clients are compatible with the new configuration? === | === Which clients are compatible with the new configuration? === <!--T:28--> | ||
The list below is not exhaustive, but we have tested the configuration with the following clients. Earlier versions of these clients may or may not work. We recommend that you update your operating system and SSH client to the latest version compatible with your hardware. | The list below is not exhaustive, but we have tested the configuration with the following clients. Earlier versions of these clients may or may not work. We recommend that you update your operating system and SSH client to the latest version compatible with your hardware. | ||
==== Linux clients ==== | ==== Linux clients ==== <!--T:29--> | ||
* OpenSSH_7.4p1, OpenSSL 1.0.2k-fips (CentOS 7.5, 7.6) | * OpenSSH_7.4p1, OpenSSL 1.0.2k-fips (CentOS 7.5, 7.6) | ||
* OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13, OpenSSL 1.0.1f (Ubuntu 14) | * OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13, OpenSSL 1.0.1f (Ubuntu 14) | ||
==== OS X clients ==== | ==== OS X clients ==== <!--T:30--> | ||
You can determine the exact version of your SSH client on OS X using the command <tt>ssh -V</tt>. | You can determine the exact version of your SSH client on OS X using the command <tt>ssh -V</tt>. | ||
* OpenSSH 7.4p1, OpenSSL 1.0.2k (Homebrew) | * OpenSSH 7.4p1, OpenSSL 1.0.2k (Homebrew) | ||
* OpenSSH 7.9p1, LibreSSL 2.7.3 (OS X 10.14.5) | * OpenSSH 7.9p1, LibreSSL 2.7.3 (OS X 10.14.5) | ||
==== Windows clients ==== | ==== Windows clients ==== <!--T:31--> | ||
* MobaXterm Personal Edition v11.1 | * MobaXterm Personal Edition v11.1 | ||
==== iOS clients ==== | ==== iOS clients ==== <!--T:32--> | ||
* Termius, 4.3.12 | * Termius, 4.3.12 | ||
= SSH host key fingerprints = | = SSH host key fingerprints = <!--T:33--> | ||
{{:SSH_host_keys}} | {{:SSH_host_keys}} | ||
</translate> | </translate> | ||