| Version 16 (modified by , 16 years ago) ( diff ) |
|---|
I'm getting a scary message when I try to login to my account using secure shell or secure FTP
When you try to secure shell (ssh) or secure FTP to our servers, you may get a message that looks like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
It's probably a message you haven't seen before and it may be confusing and even disturbing. It's showing because we have changed the "host keys" for most of our servers due to a security problem discovered in the program used to generate the keys. The three affected servers most commonly used by members are: mandela.mayfirst.org, malcolm.mayfirst.org, and c.backup.mayfirst.org. Their new fingerprints are:
mandela.mayfirst.org: b5:c9:45:1e:b9:54:66:d7:a6:5d:3b:70:dc:0a:e4:14 malcolm.mayfirst.org: 75:a7:ab:16:36:61:43:f2:b6:08:4d:87:fe:2e:6a:5b ali.mayfirst.org (aka c.backup.mayfirst.org, the offsite backup): 9e:e0:6c:7f:04:15:ed:38:4b:b1:e9:92:8d:03:e0:7a
To get the correct, current "fingerprint" of other servers, please see our fingerprints page.
You'll need the fingerprint to follow the instructions below and make the message disappear.
Making the error message go away
Using linux
You will need to edit your ~/.ssh/known_hosts file. The error message should specify the line number of the "offending" key. Simply delete that line in the file and try again.
For example, if you were trying to connect to chavez.mayfirst.org, you can remove the offending key via the command line with:
ssh-keygen -R chavez.mayfirst.org
Then, try to connect again. You should get a message like this:
The authenticity of host 'mandela.mayfirst.org (209.51.163.15)' can't be established. RSA key fingerprint is b5:c9:45:1e:b9:54:66:d7:a6:5d:3b:70:dc:0a:e4:14. Are you sure you want to continue connecting (yes/no)?
If the fingerprint matches the expected fingerprint for your server, then type yes.
Using Windows
When using WinSCP, you should see a message that says:
WARNING - POTENTIAL SECURITY BREACH The server's host key does not match the one in WinSCP has in cache. This means that either the server administrator has changed the host key, the server presents different keys under different circumstances, or you have actually connected to a different computer pretending to be the server. The new rsa2 key fingerprint is: [fingerprint is listed here]
Be sure to compare the fingerprint with the fingerprints listed above (or via the fingerprints page).
If they are the same, then click "Update" and you will no longer get this message.
Using Macintosh
Similarly to Linux, you will need to edit your ~/.ssh/known_hosts file. The error message will specify the line number of the "offending" key; for example,
Offending key in /Users/Jack/.ssh/known_hosts:26
Here, 26 is the line number of the "offending" key. Edit ~/.ssh/known_hosts and delete the line. To do this using the vim text editor, type the following at the prompt in Terminal:
vi ~/.ssh/known_hosts
When the file opens, type
:26
replacing "26" with your offending line number to jump to that line in the file. The name or IP address of the server you were trying to connect to should appear at the beginning of this line. Type
dd
to delete the line, then type
:wq
to save your changes and quit. Then, try to connect to the server again. You'll likely get a message saying that the authenticity of the host cannot be established; type "yes" to continue connecting and the new host key will be saved into your known_hosts file.
What are host keys?
Host keys are random bits of text that are unique to every server. The randomness of the keys allows us to have a secure, encrypted connection between you and the server.
