Skip to content

SSH key verification

Note

This howto is also valid for key verification when logging in for the first time.

If you already have the public key saved in your ~/.ssh/known_hosts file and the frontend comes up with a different one, you will see message similar to the following: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M.
Please contact your system administrator.
Add correct host key in /home/user123/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user123/.ssh/known_hosts:1
  remove with:
  ssh-keygen -f "/home/user123/.ssh/known_hosts" -R "skirit.ics.muni.cz"
Host key for skirit.ics.muni.cz has changed and you have requested strict checking.
Host key verification failed.

This normally happens when the frontend is reinstalled or its key is re-generated by admins (for whatever reasons). However this may be also a sign of an attack when a foreign machine tries to pretend it is a frontend.

How to verify the key

  1. Go to PBSmon page with host SSH key fingerprints. This page is managed by our admins. It contains fingerprints od SSH keys of all our hosts (computing nodes as well as frontends).
  2. Search for the name of host you tried to log in, e.g. "skirit.ics.muni.cz". You will find several consecutive lines containing this word.
  3. Among these lines, select the one that contains the type of encryption noted in the warning message, e.g. "ED25519"
  4. From this line, select the string that follows after "SHA256:" and ends by first blank space
  5. If this string is the same as the one displayed in the warning message (here :bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M), then the key is genuine and you can go on with removing the old key and changing it to the new one
  6. If the strings are different, do not log in and contact our user support.

In case you need to see list public keys of all hosts, there is also a complete list of public keys available.