einfra logoDocumentation
Access/Security

SSH key verification

This how-to is also valid for key verification when logging in for the first time.

If you already have the public key saved in your ~/.ssh/known_hosts file and the frontend comes up with a different one, you will see a message similar to the following:

!!!WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!!!

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M.
Please contact your system administrator.
Add the correct host key in /home/user123/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user123/.ssh/known_hosts:1
    remove with:
    ssh-keygen -f "/home/user123/.ssh/known_hosts" -R "skirit.ics.muni.cz"
The host key for skirit.ics.muni.cz has changed and you have requested strict checking.
Host key verification failed.

This normally happens when the frontend is reinstalled or its key is re-generated by admins (for whatever reasons). However, this may also be a sign of an attack when a foreign machine tries to pretend it is a frontend.

How to verify the key

  1. Go to PBSmon page with host SSH key fingerprints. This page is managed by our admins. It contains fingerprints of SSH keys of all our hosts (computing nodes as well as frontends).
  2. Search for the name of the host you tried to log in, e.g. “skirit.ics.muni.cz”. You will find several consecutive lines containing this word.
  3. Among these lines, select the one that contains the type of encryption noted in the warning message, e.g. “ED25519”
  4. From this line, select the string that follows after “SHA256:” and ends by the first blank space
  5. If this string is the same as the one displayed in the warning message (here :bZfXg8ZTXR3KlUNbJ8rhMP0QOtbGdp7sMPCW22bIE0M), then the key is genuine and you can go on with removing the old key and changing it to the new one
  6. If the strings are different, do not log in and contact our user support.

In case you need to see a list of public keys of all hosts, there is also a complete list of public keys available.

Last updated on

publicity banner

On this page

No Headings
einfra banner