Bureaucrats, cc_docs_admin, cc_staff
2,306
edits
SSH security improvements: Difference between revisions
no edit summary
(Created page with "=SSH Changes (Summer 2019)= With the passage of time and significant increase in computing power available, a variety of encryption algorithms and protocols which were reaso...") |
No edit summary |
||
| Line 6: | Line 6: | ||
== What Changed? == | == What Changed? == | ||
During the | During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters: | ||
# | # Disable certain weak encryption algorithms. | ||
# | # Disable certain weak public key types. | ||
# | # Regenerate the cluster's host keys. | ||
== Updating your client's known host list == | == Updating your client's known host list == | ||
The first time you login to | The first time you login to a Compute Canada cluster after the changes, you will probably see the following warning message: | ||
<pre> | <pre> | ||
| Line 28: | Line 28: | ||
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message. | Add correct host key in /home/username/.ssh/known_hosts to get rid of this message. | ||
Offending ECDSA key in /home/username/.ssh/known_hosts:109 | Offending ECDSA key in /home/username/.ssh/known_hosts:109 | ||
ED25519 host key for | ED25519 host key for graham.computecanada.ca has changed and you have requested strict checking. | ||
Host key verification failed. | Host key verification failed. | ||
Killed by signal 1. | Killed by signal 1. | ||
</pre> | </pre> | ||
This warning is displayed because the host keys on | This warning is displayed because the host keys on the cluster (in this case [[Graham]]) changed to increase the data centre's security, and ssh clients remember old host keys to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks]. | ||
You may also get a warning regarding "DNS spoofing", which is related to the same change. | You may also get a warning regarding "DNS spoofing", which is related to the same change. | ||
| Line 41: | Line 41: | ||
If you are using the command line ssh command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host keys, by running the following commands: | If you are using the command line ssh command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host keys, by running the following commands: | ||
ssh-keygen -R | ssh-keygen -R graham.computecanada.ca | ||
ssh-keygen -R | ssh-keygen -R cedar.computecanada.ca | ||
ssh-keygen -R | ssh-keygen -R beluga.computecanada.ca | ||
Afterwards, the next time you ssh to | Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.: | ||
$ ssh | $ ssh graham.computecanada.ca | ||
The authenticity of host ' | The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established. | ||
ED25519 key fingerprint is SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc. | ED25519 key fingerprint is SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc. | ||
ED25519 key fingerprint is MD5:b4:ae:76:a5:2b:37:8d:57:06:0e:9a:de:62:00:26:be. | ED25519 key fingerprint is MD5:b4:ae:76:a5:2b:37:8d:57:06:0e:9a:de:62:00:26:be. | ||
| Line 74: | Line 70: | ||
Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | ||
you need to upgrade your | you need to upgrade your SSH client. | ||
=== My SSH key no longer works === | === My SSH key no longer works === | ||