wiki:ssl_host_key_changed

I'm getting a scary message when I try to login to my account using secure shell or secure FTP

When you try to secure shell (ssh) or secure FTP to our servers, you may get a message that looks like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

It's probably a message you haven't seen before and it may be confusing and even disturbing. It's showing because we have changed the "host keys" for most of our servers due to a security problem discovered in the program used to generate the keys. The three affected servers most commonly used by members are: mandela.mayfirst.org, malcolm.mayfirst.org, and c.backup.mayfirst.org. Their new fingerprints are:

mandela.mayfirst.org: b5:c9:45:1e:b9:54:66:d7:a6:5d:3b:70:dc:0a:e4:14
malcolm.mayfirst.org: 75:a7:ab:16:36:61:43:f2:b6:08:4d:87:fe:2e:6a:5b
ali.mayfirst.org (aka c.backup.mayfirst.org, the offsite backup): 9e:e0:6c:7f:04:15:ed:38:4b:b1:e9:92:8d:03:e0:7a
sylvia.mayfirst.org (aka console.mayfirst.org, the serial console server): 76:6d:60:7e:de:5e:87:70:1f:27:d8:53:03:83:2c:f5

To get the correct, current "fingerprint" of other servers, please see our fingerprints page.

You'll need the fingerprint to follow the instructions below and make the message disappear.

Making the error message go away

Using linux

You will need to edit your ~/.ssh/known_hosts file. The error message should specify the line number of the "offending" key. Simply delete that line in the file and try again.

For example, if you were trying to connect to mandela.mayfirst.org, you can remove the offending key via the command line with:

ssh-keygen -R mandela.mayfirst.org

Then, try to connect again. You should get a message like this:

The authenticity of host 'mandela.mayfirst.org (209.51.163.15)' can't be established.
RSA key fingerprint is b5:c9:45:1e:b9:54:66:d7:a6:5d:3b:70:dc:0a:e4:14.
Are you sure you want to continue connecting (yes/no)?

If the fingerprint matches the expected fingerprint for your server, then type yes.

Using Windows

WinSCP

When using WinSCP, you should see a message that says:

WARNING - POTENTIAL SECURITY BREACH

The server's host key does not match the one in WinSCP has in cache. This means that either 
the server administrator has changed the host key, the server presents different keys under 
different circumstances, or you have actually connected to a different computer pretending 
to be the server. 

The new rsa2 key fingerprint is:

[fingerprint is listed here]

Be sure to compare the fingerprint with the fingerprints listed above (or via the fingerprints page).

If they are the same, then click "Update" and you will no longer get this message.

Using Dreamweaver

The cache of hosts key is located here:

C:\Documents and Settings\<user>\Local Settings\Application Data\Macromedia\Dreamweaver 8\Configuration\ssh_hosts

Try editing it with a text editor like notepad and remove the lines that have the name of your primary server in it. In the worst case scenario, you can simply delete the file.

Using Macintosh

Depending on what software you use to connect to our servers, you will see messages like the following:

Command line/terminal ssh or sftp:

Offending key in /Users/Jack/.ssh/known_hosts:26

Fugo:

Warning: Remote host identification has changed

Cyberduck appears to not generate a message - it just fails to connect.

Unfortunately, none of these programs have an automatic way to fix the bad key.

Fixing the Problem with any program except Dreamweaver

There are two ways to fix the problem in the Macintosh.

The first way (via the command line) is more difficult, however, it is more precise, fixing just the key that is broken. The second way (removing entire known_hosts file) is much easier for the novice user, however, it removes all of your "known hosts." If you use this method, you will be prompted to accept the host keys for all servers you connect to in the future (including non May First/People Link servers).

Command line

This method applies if you are comfortable using the Mac terminal program.

You can start the Mac Terminal program by going to Applications -> Utilities and clicking on the Terminal icon. Then, a screen will open with a blinking cursor, awaiting for you to type a command.

Just know the server to which you're trying to connect and use the keygen command to replace the error-producing line in your known_hosts file. For example, if you were trying to connect to mandela.mayfirst.org, you can remove the offending key via the command line with the followig command (note: it doesn't matter what directory you are in when you execute this command - it will automatically find the right file to edit).

ssh-keygen -R mandela.mayfirst.org
Using Finder
  • From Finder, select Go -> Go to folder... (this step works with OS 10.4 but not work with other versions)
  • Type:
    .ssh
    
  • You should see a folder open with a file called known_hosts. Drag that file to the trash.
  • If you get a message saying that folder does not exist, try typing instead /Users/YOUR-USERNAME-HERE/.ssh (replace YOUR-USERNAME-HERE with your actual username on your local computer).
  • Warning: this will remove all the known_hosts from your computer. The next time you use a program to connect to a secure server, you will need to re-verify the host key. This will apply to all servers you connect to, not just the May First/People Link servers.

Fixing the problem with Dreamweaver

The cache of hosts key is located here:

/Users/<user>/Library/Application Support/Macromedia/Dreamweaver 8/Configuration/ssh_hosts

Try editing it with a text editor like Simple Text and remove the lines that have the name of your primary server in it. In the worst case scenario, you can simply delete the file.

What are host keys?

Host keys are random bits of text that are unique to every server. The randomness of the keys allows us to have a secure, encrypted connection between you and the server.

Last modified 11 years ago Last modified on Jun 22, 2008, 9:18:14 AM