SSH security improvements: Difference between revisions

Jump to navigation Jump to search
no edit summary
(Created page with "=SSH Changes (Summer 2019)= With the passage of time and significant increase in computing power available, a variety of encryption algorithms and protocols which were reaso...")
 
No edit summary
Line 6: Line 6:
== What Changed? ==
== What Changed? ==


During the 29-30 May 2019 shutdown, we made the following ssh security improvements on Niagara:
During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters:


# Disabled certain weak encryption algorithms.
# Disable certain weak encryption algorithms.
# Disabled certain weak public key types.
# Disable certain weak public key types.
# Regenerated Niagara's host keys.
# Regenerate the cluster's host keys.


== Updating your client's known host list ==
== Updating your client's known host list ==


The first time you login to Niagara after the shutdown, you will probably see the following warning message:
The first time you login to a Compute Canada cluster after the changes, you will probably see the following warning message:


<pre>
<pre>
Line 28: Line 28:
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/username/.ssh/known_hosts:109
Offending ECDSA key in /home/username/.ssh/known_hosts:109
ED25519 host key for niagara.scinet.utoronto.ca has changed and you have requested strict checking.
ED25519 host key for graham.computecanada.ca has changed and you have requested strict checking.
Host key verification failed.
Host key verification failed.
Killed by signal 1.
Killed by signal 1.
</pre>
</pre>


This warning is displayed because the host keys on Niagara changed to increase the data centre's security, and ssh clients remember old host keys to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].  
This warning is displayed because the host keys on the cluster (in this case [[Graham]]) changed to increase the data centre's security, and ssh clients remember old host keys to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].  


You may also get a warning regarding "DNS spoofing", which is related to the same change.
You may also get a warning regarding "DNS spoofing", which is related to the same change.
Line 41: Line 41:
If you are using the command line ssh command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host keys, by running the following commands:
If you are using the command line ssh command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host keys, by running the following commands:


  ssh-keygen -R niagara.scinet.utoronto.ca
  ssh-keygen -R graham.computecanada.ca
  ssh-keygen -R niagara.computecanada.ca
  ssh-keygen -R cedar.computecanada.ca
  ssh-keygen -R 142.150.188.70
  ssh-keygen -R beluga.computecanada.ca
ssh-keygen -R nia-datamover1.scinet.utoronto.ca
ssh-keygen -R nia-datamover2.scinet.utoronto.ca
ssh-keygen -R 142.150.188.131
ssh-keygen -R 142.150.188.132


Afterwards, the next time you ssh to Niagara you'll be asked to confirm the new host keys, e.g.:
Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.:


  $ ssh niagara.scinet.utoronto.ca
  $ ssh graham.computecanada.ca
  The authenticity of host 'niagara.scinet.utoronto.ca (142.150.188.70)' can't be established.
  The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established.
  ED25519 key fingerprint is SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc.
  ED25519 key fingerprint is SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc.
  ED25519 key fingerprint is MD5:b4:ae:76:a5:2b:37:8d:57:06:0e:9a:de:62:00:26:be.
  ED25519 key fingerprint is MD5:b4:ae:76:a5:2b:37:8d:57:06:0e:9a:de:62:00:26:be.
Line 74: Line 70:
  Unable to negotiate with 142.150.188.70 port 22: no matching mac found.
  Unable to negotiate with 142.150.188.70 port 22: no matching mac found.


you need to upgrade your ssh client.
you need to upgrade your SSH client.


=== My SSH key no longer works ===
=== My SSH key no longer works ===
Bureaucrats, cc_docs_admin, cc_staff
2,306

edits

Navigation menu