After several years it was time to update the SSH host keys of our managed Linux machines. Therefore, if you reconnect with SSH, you might get a warning similar to this one:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending key in ~/.ssh/known_hosts:1
RSA host key for login.phys.ethz.ch has changed and you have requested strict checking.
Host key verification failed.
This is because your computer has memorized the previous host key and is bailing because the current one is different. This mechanism is designed to prevent users from man-in-the-middle attacks. In our case it can be treated as a mere notification that the SSH key has changed.
In order to get rid of this warning, you simply need to delete the old key from your ~/.ssh/known_hosts file. This can be done either by deleting the entry manually or with the following command
ssh-keygen -R login.phys.ethz.ch
for the machine you try to ssh into.
On the next SSH connection you will be prompted to accept the new key. Power users may also download the full list of SSH keys of all our managed Linux computers.
In order to perform system-level maintenance work, we schedule a maintenance downtime of the D-PHYS mail server today (Thursday, 2nd of July 2015) starting at 17:00. We expect the downtime to take about one hour.
During the downtime all mail services (sending mail, receiving mail, accessing mailboxes, webmail, etc.) will be unavailable. Mails sent to D-PHYS users during the downtime will be held back on the sending side and will be delivered after the downtime.
We will post an update as soon as mail services are back.
Update 19:30: Took a little bit longer than expected, but everything is back to normal now.
Microsoft will provide a final bunch of patches for Windows Server 2003 on July 14th. 2015. After then, no more security and stability fixes are going to be released. This means that still running Windows Server 2003 machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.
The central IT security group of ETHZ continuously inspects the network streams for signatures of XP and Windows Server 2003 computers. If you have a running Windows Server 2003 machine connected to the public network, please migrate the operating system to a newer version i.e Windows Server 2012.
If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk
ISG sits on a pile of older hardware that for various reasons cannot be used in our setup any more but that various people have expressed interest in and that still might be useful for certain scenarios (e.g. lab use or tinkering at home). We will therefore host two grab-your-used-piece-of-hardware sessions:
- Window 1: hardware outside of the ETH live cycle, mainly old computers (PowerPC-Macs and PCs) and TFT monitors, free of charge for both ETH-internal and private use: Wed Apr 22 – Fri Apr 24 in HPT H floor
- Window 2: not-quite-as-old hardware, mostly TFT monitors and printers, free of charge for ETH-internal use, prices for private use according to the rules: Wed Apr 29 and Thu Fri 30 in HPT H floor
As usual, some rules apply:
- this goes to all D-PHYS members
- no registration necessary. Just come by and take whatever is left.
- all items come as they are. We do not have any details or specifications
- there’s no warranty or service whatsoever. All devices have successfully been turned on, but that’s it
- if your item doesn’t turn on, you can bring it back within 5 days and get a full refund (if it wasn’t free in the first place)
- no OS, no software, no manual, no keyboard, often no cables. You get one piece of hardware. All HDs are blank
- all proceeds go to the D-PHYS funds, not ISG
- if you have no use for a computer without OS or software, don’t come shopping
- bring cash
- note that the printers are not meant to undermine the migration to the new printing system! We will not connect those printers to our old print server
It is my pleasure to welcome Christian Schneider into our group. He joins us to replace Elmar Heeb in the Linux team.
That’s just enough Christians for now.
UPDATE 23:00 – maintenance finished, queued mails have been delivered.
As a probable aftermath of last week’s power outage we are experiencing some issues with the file system on our home directory server which can only be repaired offline. We therefore schedule a maintenance window
Today, Monday Feb 2, 2015, starting at 22:00
The duration of the downtime cannot be estimated but should not exceed two hours. During this time you will not be able to access your home folder or receive new D-PHYS email. All incoming mail will be queued for later processing.
Thank you for your understanding.
It is my pleasure to welcome Christian Ringger into our group. He joins us to replace Thomas Berchtold in the Windows team.
UPDATE 13:30 – Groupdata is back online
UPDATE 02:25 – Astrogate and Windata are back online, except groupdata
UPDATE 22:20 – Home server is back online and email working again
In order to upgrade the operating system on serveral servers, we schedule a maintenance downtime on
Sunday, 4th January 2015, starting at 22:00.
22:15 start working on the home server (mail services disabled, incoming mail will be queued)
22:20 start working on the group share servers (windata & astrogate)
~ 22:45 home directories and mail services should work again
~ 00:00 group shares will incrementally come back during the night
During the downtime you can access readonly backups of your data of the night before, take a look at our readme.
We apologize in advance for any inconvenience this service interruption might cause.
The ETH Zurich will be officially closed between Wednesday, 24th of December 2014 and Sunday, 4th of January 2015. During this time, we can only provide limited support. Please follow these rules to save us from superfluous work:
- Switch off printers
- Switch off your personal workstation and notebook except for the following:
- Do not switch off our managed Linux workstations.
We will try to follow our e-mail, but you may also have luck and meet some of us in our IRC channel.
This post is meant to give you a short overview of what has been accomplished in D-PHYS IT by ISG this year. We’ve been hard at work to further improve and extend our services for you, our customers. Some highlights of 2014:
- eXile: in order to be able to keep Windows XP machines that cannot be upgraded connected to the network, we have created the exile system of dedicated virtual firewalls. Currently there are 57 computers safely hidden in this network.
- Security flaws: 2014 saw the disclosure of three rather severe and widespread security problems in quick succession: Heartbleed, Shellshock and Poodle. We patched all affected systems within hours of the announcements and also scanned the network for hosts that had been overlooked. If you’re managing any networked machines (not just servers!) yourself, please make sure those are not vulnerable.
- Outages: we had a major incident on August 27 due to a failure of the server room cooling system. Fortunately we were able to repair the damage within hours. Other than that, our systems have been very stable in 2014 and we only had minor issues.
- Storage: in 2014 the disk space occupied by data and backup grew from 535 TiB to 685 TiB, further increasing the yearly growth rate. Another 120 TiB are already in the pipeline.
- Printing: in cooperation with Informatikdienste we prepared and introduced the new ETH printing system in D-PHYS. Several groups have migrated already, the rest of D-PHYS will follow in 2015.
- IPv6: during the last 12 months we prepared the D-PHYS network for dual stack (IPv4 + IPv6) operation. The biggest step towards a working IPv6 infrastructure was the deployment of an IPv6-ready DHCP server. Beginning next January we will incrementally hand out IPv6 addresses in the D-PHYS network. Later on, we’ll make our services IPv6-ready.
- Brain drain: two ISG group members decided to take on new challenges this year. In November, Thomas Berchtold left us after 3 successful years to become the new Head of IT of D-BAUG, and Elmar Heeb, the founding father of ISG D-PHYS, will start his new job in Informatikdienste in February. We thank both Thomas and Elmar for their dedicated work and contribution to the team and hope to stay in regular contact with them in the future. Christian Ringger will replace Thomas in January, while Elmar’s succession is still work in progress.
Happy Holidays and see you in 2015!