SSH security improvements: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
No edit summary
Line 73: Line 73:
<!--T:15-->
<!--T:15-->
If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands:
If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands:
</translate>


<!--T:16-->
  for h in 2620:123:7002:4::{2..5} 199.241.166.{2..5} {gra-login{1..3},graham,gra-dtn,gra-dtn1,gra-platform,gra-platform1}.{sharcnet,computecanada}.ca; do ssh-keygen -R $h; done
  for h in 2620:123:7002:4::{2..5} 199.241.166.{2..5} {gra-login{1..3},graham,gra-dtn,gra-dtn1,gra-platform,gra-platform1}.{sharcnet,computecanada}.ca; do ssh-keygen -R $h; done
  ssh-keygen -R cedar.computecanada.ca
  ssh-keygen -R cedar.computecanada.ca
  ssh-keygen -R beluga.computecanada.ca
  ssh-keygen -R beluga.computecanada.ca


<translate>
<!--T:17-->
<!--T:17-->
Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.:
Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.:
</translate>


<!--T:18-->
  $ ssh graham.computecanada.ca
  $ ssh graham.computecanada.ca
  The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established.
  The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established.
Line 89: Line 90:
  Are you sure you want to continue connecting (yes/no)?  
  Are you sure you want to continue connecting (yes/no)?  


<translate>
<!--T:19-->
<!--T:19-->
'''Only type yes if the fingerprint matches one listed in the [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]''' at the bottom of this page. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details.
'''Only type yes if the fingerprint matches one listed in the [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]''' at the bottom of this page. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details.
Line 119: Line 121:
If you see any of the following error messages:
If you see any of the following error messages:


<!--T:26-->
</translate>
 
  Unable to negotiate with 142.150.188.70 port 22: no matching cipher found.
  Unable to negotiate with 142.150.188.70 port 22: no matching cipher found.
  Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found.
  Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found.
  Unable to negotiate with 142.150.188.70 port 22: no matching mac found.
  Unable to negotiate with 142.150.188.70 port 22: no matching mac found.
<translate>


<!--T:27-->
<!--T:27-->
Line 151: Line 156:
= SSH host key fingerprints = <!--T:33-->
= SSH host key fingerprints = <!--T:33-->
To retrieve the host fingerprints remotely, one can use the following commands:
To retrieve the host fingerprints remotely, one can use the following commands:
</translate>
  ssh-keyscan <hostname> | ssh-keygen -E md5 -l -f -
  ssh-keyscan <hostname> | ssh-keygen -E md5 -l -f -
  ssh-keyscan <hostname> | ssh-keygen -E sha256 -l -f -
  ssh-keyscan <hostname> | ssh-keygen -E sha256 -l -f -
<translate>


<!--T:43-->
<!--T:43-->
Bureaucrats, cc_docs_admin, cc_staff, rsnt_translations
2,843

edits

Navigation menu