SSH security improvements: Difference between revisions

Jump to navigation Jump to search

SSH security improvements (view source)

Revision as of 14:34, 12 July 2019

59 bytes added ,  5 years ago
simplified intro
(simplified intro)
Line 3: Line 3:
=SSH Changes (Summer 2019)=
=SSH Changes (Summer 2019)=


With the passage of time and significant increase in computing power available, a variety of encryption algorithms  
With constant increase in computing power over time, some encryption algorithms  
and protocols which were reasonably secure ten or fifteen years ago can no longer be used without an elevated risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies for the use of [[SSH]] in order to require more secure ciphers and increasing the length of the keys used to verify the identity of clusters and users to one another. For some users, this will mean having to update their SSH client software or generate a new public/private keypair, while everyone will have to update the local copy of the key which is used to identify the Compute Canada clusters to which they connect.     
and protocols which were reasonably secure ten or fifteen years ago can no longer be used without an unacceptable risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies and practices regarding [[SSH]], the tool used to verify the identity of clusters and users to one another. Some users may have to update their SSH client software, some may have to generate a new public/private key-pair, and everyone will have to update the local copy of the "host key" which is used to identify each Compute Canada cluster.     


== What Changed? ==
== What is changing? ==


During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters:
During the summer of 2019, we will make the following SSH security improvements on Compute Canada clusters.  We will:


# Disable certain weak encryption algorithms.
# Disable certain encryption algorithms.
# Disable certain weak public key types.
# Disable certain public key types.
# Regenerate the cluster's host keys.
# Regenerate the cluster's host keys.
If you do not understand the significance of "encryption algoriithms", "public keys", or "host keys", do not be alarmed.  Simply follow the steps outlined below.


== Updating your client's known host list ==
== Updating your client's known host list ==
Line 35: Line 37:
</pre>
</pre>


This warning is displayed because the host keys on the cluster (in this case [[Graham]]) changed to increase the data centre's security, and ssh clients remember old host keys to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].  
This warning is displayed because the host keys on the cluster (in this case [[Graham]]) were changed, and your SSH client software remembers the old host keys.  (It does this to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].)


You may also get a warning regarding "DNS spoofing", which is related to the same change.
You may also get a warning regarding "DNS spoofing", which is related to the same change.
Rdickson
Bureaucrats, cc_docs_admin, cc_staff
2,879

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/73596"

Navigation menu