Bureaucrats, cc_docs_admin, cc_staff, rsnt_translations
2,837
edits
SSH security improvements: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 73: | Line 73: | ||
<!--T:15--> | <!--T:15--> | ||
If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands: | If you are using the command line <tt>ssh</tt> command on macOS, Linux, GitBash or Cygwin, you should tell your system to "forget" the old host key by running one of the following commands: | ||
</translate> | |||
for h in 2620:123:7002:4::{2..5} 199.241.166.{2..5} {gra-login{1..3},graham,gra-dtn,gra-dtn1,gra-platform,gra-platform1}.{sharcnet,computecanada}.ca; do ssh-keygen -R $h; done | for h in 2620:123:7002:4::{2..5} 199.241.166.{2..5} {gra-login{1..3},graham,gra-dtn,gra-dtn1,gra-platform,gra-platform1}.{sharcnet,computecanada}.ca; do ssh-keygen -R $h; done | ||
ssh-keygen -R cedar.computecanada.ca | ssh-keygen -R cedar.computecanada.ca | ||
ssh-keygen -R beluga.computecanada.ca | ssh-keygen -R beluga.computecanada.ca | ||
<translate> | |||
<!--T:17--> | <!--T:17--> | ||
Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.: | Afterwards, the next time you ssh to the cluster you'll be asked to confirm the new host keys, e.g.: | ||
</translate> | |||
$ ssh graham.computecanada.ca | $ ssh graham.computecanada.ca | ||
The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established. | The authenticity of host 'graham.computecanada.ca (142.150.188.70)' can't be established. | ||
| Line 89: | Line 90: | ||
Are you sure you want to continue connecting (yes/no)? | Are you sure you want to continue connecting (yes/no)? | ||
<translate> | |||
<!--T:19--> | <!--T:19--> | ||
'''Only type yes if the fingerprint matches one listed in the [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]''' at the bottom of this page. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | '''Only type yes if the fingerprint matches one listed in the [[SSH_changes#SSH_host_key_fingerprints|SSH host key fingerprints]]''' at the bottom of this page. If the fingerprint does not match any on the list below, do not accept the connection, and contact [[Technical support]] with the details. | ||
| Line 119: | Line 121: | ||
If you see any of the following error messages: | If you see any of the following error messages: | ||
< | </translate> | ||
Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | Unable to negotiate with 142.150.188.70 port 22: no matching cipher found. | ||
Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found. | ||
Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | Unable to negotiate with 142.150.188.70 port 22: no matching mac found. | ||
<translate> | |||
<!--T:27--> | <!--T:27--> | ||
| Line 151: | Line 156: | ||
= SSH host key fingerprints = <!--T:33--> | = SSH host key fingerprints = <!--T:33--> | ||
To retrieve the host fingerprints remotely, one can use the following commands: | To retrieve the host fingerprints remotely, one can use the following commands: | ||
</translate> | |||
ssh-keyscan <hostname> | ssh-keygen -E md5 -l -f - | ssh-keyscan <hostname> | ssh-keygen -E md5 -l -f - | ||
ssh-keyscan <hostname> | ssh-keygen -E sha256 -l -f - | ssh-keyscan <hostname> | ssh-keygen -E sha256 -l -f - | ||
<translate> | |||
<!--T:43--> | <!--T:43--> | ||