| Print View | RSS |

RemoteAccess/SSH/Hostkeys

Remote Access > SSH > SSH Hostkeys

Contents

  1. SSH Hostkeys
    1. SSH host key mismatch: OpenSSH
    2. SSH host key mismatch: PuTTY
    3. SSH host key mismatch: in general
    4. RSA key fingerprint for cs.toronto.edu

SSH Hostkeys

SSH (Secure Shell) and its related programs (SCP, SFTP) use host keys to uniquely identify hosts. Host keys are cryptographic "signatures" belonging to the host, and if SSH sees a host key for a particular hostname that does not match what it expects, it suspects that host of lying about its identity. This is a useful thing for SSH to do, because it prevents someone from masquerading as a particular host in order to fool people into trying to log in and thus inadvertantly revealing their passwords.

Sometimes the host key changes legitimately, e.g. when a machine is reinstalled, or replaced by a newer machine. Unfortunately, SSH cannot know whether or not the machine with the unexpected host key is a replacement or a masquerader, and thus assumes that it may be the latter. When SSH reports a host key mismatch, therefore, you should ask yourself whether there is a legitimate reason for the mismatch (e.g. the machine has been reinstalled or replaced). If there is a legitimate reason, you should go ahead and continue to log in. If not, you should stop logging in at that point, and instead consult your Point of Contact (PoC) for advice.

SSH host key mismatch: OpenSSH

When the OpenSSH ssh client (the default client for Mac OSX/Linux/Solaris/BSD/Cygwin) sees a host key mismatch, it reports a message that looks like the following: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
9c:9d:2f:4c:6d:f3:48:37:1f:dc:34:ff:ea:14:32:4c.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:67
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

If you happen to know that the host key mismatch is legitimate (i.e. the host was reinstalled or replaced) then simply edit the file mentioned in the message using your favourite text editor, e.g. 

vi /home/me/.ssh/known_hosts

Find the entry that mentions the host you tried to log in to (it's on the line number mentioned in the message, e.g. in this case, line 67) and simply delete it. Then log in again, and it will report the following: 

The authenticity of host 'hostname (128.100.0.1)' can't be established.
RSA key fingerprint is 9c:9d:2f:4c:6d:f3:48:37:1f:dc:34:ff:ea:14:32:4c.
Are you sure you want to continue connecting (yes/no)?

If you answer "yes", the new host key will be saved and your login will continue.

SSH host key mismatch: PuTTY

When the PuTTY ssh client (used on Windows) sees a host key mismatch, it will report a message that looks like the following: 

WARNING - POTENTIAL SECURITY BREACH! 

The server's host key does not match the one PuTTY has
cached in the registry. This means that either the
server administrator has changed the host key, or you
have actually connected to another computer pretending
to be the server.
The new key fingerprint is:
ssh-rsa 1024 9c:9d:2f:4c:6d:f3:48:37:1f:dc:34:ff:ea:14:32:4c
If you were expecting this change and trust the new key,
hit Yes to update PuTTY's cache and continue connecting.
If you want to carry on connecting but without updating
the cache, hit No.
If you want to abandon the connection completely, hit 
Cancel. Hitting Cancel is the ONLY guaranteed safe
choice.

If you happen to know that the host key mismatch is legitimate (i.e. the host was reinstalled or replaced) then simply hit Yes.

SSH host key mismatch: in general

Any SSH client, upon seeing a host with a host key that is different from what it expects, will report a message that is similar to the two examples shown here. If you know that the host has recently been replaced or reinstalled, do not panic. There is a legitimate reason for that host key to have changed - you can proceed. If the host has not, as far as you know, been recently replaced or reinstalled, only then should you contact your Point of Contact (PoC) for advice.

RSA key fingerprint for cs.toronto.edu

Here is the RSA key fingerprint for apps0, which is the machine that is now pointed to by the cs.toronto.edu DNS name: 

a9:95:4c:31:22:32:8a:0a:ae:5c:7b:b3:1d:39:b1:17

Thus, if you see a SSH host key mismatch message displayed by your SSH client when you attempt to connect to cs.toronto.edu, you can cross-reference the RSA key fingerprint reported by the remote machine with the one above, to verify that you are indeed connecting to cs.toronto.edu (which in fact points to apps0).

last modified 2009-12-03 11:55:59