cc_staff
176
edits
SSH security improvements: Difference between revisions
Jump to navigation
Jump to search
m
more minor
m (right nits this time) |
m (more minor) |
||
| Line 7: | Line 7: | ||
<!--T:37--> | <!--T:37--> | ||
[[SSH]] is the software protocol that you use to connect to Compute Canada clusters. It protects the security of your | [[SSH]] is the software protocol that you use to connect to Compute Canada clusters. It protects the security of your communication by verifying the server’s identity and yours against known identification data, and by encrypting the connection. Because security risks evolve over time, Compute Canada will soon end support for certain SSH options which are no longer deemed secure. You will have to make some changes on your part in order to continue using our clusters. The changes are outlined in the flowchart to the right, and explained in greater detail below. | ||
=SSH changes (Summer 2019)= <!--T:1--> | =SSH changes (Summer 2019)= <!--T:1--> | ||
| Line 14: | Line 14: | ||
<!--T:2 | <!--T:2 | ||
With constant increase in computing power over time, some encryption algorithms | With constant increase in computing power over time, some encryption algorithms | ||
and protocols which were reasonably secure ten or fifteen years ago now pose an unacceptable risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies and practices regarding [[SSH]], the principal tool used to provide secure access to its clusters. Some users may have to update their SSH client software, some may have to generate a new public/private key-pair, and everyone will have to update | and protocols which were reasonably secure ten or fifteen years ago now pose an unacceptable risk of the connection being compromised by a third party. For this reason, Compute Canada is modifying its policies and practices regarding [[SSH]], the principal tool used to provide secure access to its clusters. Some users may have to update their SSH client software, some may have to generate a new public/private key-pair, and everyone will have to update their local copy of the "host key" which is used to identify each Compute Canada cluster. --> | ||
== What is changing? == <!--T:3--> | == What is changing? == <!--T:3--> | ||
| Line 35: | Line 35: | ||
<!--T:8--> | <!--T:8--> | ||
The first time you login to a Compute Canada cluster after the changes, you will probably see the following | The first time you login to a Compute Canada cluster after the changes, you will probably see a warning message like the following: | ||
<!--T:9--> | <!--T:9--> | ||
| Line 56: | Line 56: | ||
<!--T:10--> | <!--T:10--> | ||
This warning is displayed because the host keys on the cluster (in this case [[Graham]]) were changed, and your SSH client software remembers the old host keys. (It does this to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].) This will happen for your SSH client on each device from which you connect | This warning is displayed because the host keys on the cluster (in this case [[Graham]]) were changed, and your SSH client software remembers the old host keys. (It does this to prevent [https://en.wikipedia.org/wiki/Man-in-the-middle_attack "man-in-the-middle" attacks].) This will happen for your SSH client on each device from which you connect, so you may see it multiple times. | ||
<!--T:11--> | <!--T:11--> | ||
| Line 114: | Line 114: | ||
<!--T:25--> | <!--T:25--> | ||
If you see | If you see any of the following error messages: | ||
<!--T:26--> | |||
Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | ||
Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | ||
Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | ||