SSH Changes in May 2019

From SciNet Users Documentation
Revision as of 20:44, 26 May 2019 by Nolta (talk | contribs) (Nolta moved page SSH Hardening (Spring 2019) to SSH Changes (May 2019) without leaving a redirect)
Jump to navigation Jump to search

What Changed?

During the 29-30 May 2019 shutdown, we made the following ssh security improvements on Niagara:

  1. Disabled certain weak encryption algorithms.
  2. Disabled certain weak public key types.
  3. Regenerated Niagara's host keys.

Updating your client's known host list

The first time you login to Niagara after the shutdown, you will probably see the following warning message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/username/.ssh/known_hosts:109
ED25519 host key for niagara.scinet.utoronto.ca has changed and you have requested strict checking.
Host key verification failed.
Killed by signal 1.

This is because the host keys on Niagara changed, and ssh clients remember old host keys to prevent "man-in-the-middle" attacks. To "forget" the old host keys, try running the following commands on macOS/Linux:

$ ssh-keygen -R niagara.scinet.utoronto.ca
$ ssh-keygen -R niagara.computecanada.ca
$ ssh-keygen -R 142.150.188.70

For Windows PuTTY, WinSCP, and MobaXterm, TBD.

Afterwards, the next time you ssh to Niagara you'll be asked to confirm the new host keys, e.g.:

$ ssh niagara.scinet.utoronto.ca
The authenticity of host 'niagara.scinet.utoronto.ca (142.150.188.70)' can't be established.
ED25519 key fingerprint is SHA256:SauX2nL+Yso9KBo2Ca6GH/V9cSFLFXwxOECGWXZ5pxc.
ED25519 key fingerprint is MD5:b4:ae:76:a5:2b:37:8d:57:06:0e:9a:de:62:00:26:be.
Are you sure you want to continue connecting (yes/no)? 

Make sure the fingerprints are correct! You either see the above ED25519 fingerprints, or the following RSA fingerprints:

RSA key fingerprint is SHA256:k6YEhYsI73M+NJIpZ8yF+wqWeuXS9avNs2s5QS/0VhU.
RSA key fingerprint is MD5:98:e7:7a:07:89:ef:3f:d8:68:3d:47:9c:6e:a6:71:5e.

If the fingerprints don't match, someone may be trying to hijack your connection.

Troubleshooting

I can't connect!

If you see one of the following error messages:

Unable to negotiate with 142.150.188.70 port 22: no matching cipher found.
Unable to negotiate with 142.150.188.70 port 22: no matching key exchange method found.
Unable to negotiate with 142.150.188.70 port 22: no matching mac found.

you need to upgrade your ssh client.

My SSH key no longer works

If you're being asked for a password, but were using SSH keys, it's because 1024-bit DSA & RSA keys have been disabled.

You need to generate a new stronger key, see the SSH keys page for details.