Access/Security
SSH key verification
This how-to is also valid for key verification when logging in for the first time.
If you already have the public key saved in your ~/.ssh/known_hosts
file and the frontend comes up with a different one, you will see a message similar to the following:
!!!WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!!!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M.
Please contact your system administrator.
Add the correct host key in /home/user123/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user123/.ssh/known_hosts:1
remove with:
ssh-keygen -f "/home/user123/.ssh/known_hosts" -R "skirit.ics.muni.cz"
The host key for skirit.ics.muni.cz has changed and you have requested strict checking.
Host key verification failed.
This normally happens when the frontend is reinstalled or its key is re-generated by admins (for whatever reasons). However, this may also be a sign of an attack when a foreign machine tries to pretend it is a frontend.
How to verify the key
- Go to PBSmon page with host SSH key fingerprints. This page is managed by our admins. It contains fingerprints of SSH keys of all our hosts (computing nodes as well as frontends).
- Search for the name of the host you tried to log in, e.g. “skirit.ics.muni.cz”. You will find several consecutive lines containing this word.
- Among these lines, select the one that contains the type of encryption noted in the warning message, e.g. “ED25519”
- From this line, select the string that follows after “SHA256:” and ends by the first blank space
- If this string is the same as the one displayed in the warning message (here
:bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M
), then the key is genuine and you can go on with removing the old key and changing it to the new one - If the strings are different, do not log in and contact our user support.
In case you need to see a list of public keys of all hosts, there is also a complete list of public keys available.
Last updated on