New SSH Host Keys on Managed Linux Machines

After several years it was time to update the SSH host keys of our managed Linux machines. Therefore, if you reconnect with SSH, you might get a warning similar to this one:

ssh login.phys.ethz.ch
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
36:04:d8:3d:89:a2:76:19:ef:b6:f0:0a:f2:5c:81:a3.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending key in ~/.ssh/known_hosts:1
RSA host key for login.phys.ethz.ch has changed and you have requested strict checking.
Host key verification failed.

This is because your computer has memorized the previous host key and is bailing because the current one is different. This mechanism is designed to prevent users from man-in-the-middle attacks. In our case it can be treated as a mere notification that the SSH key has changed.

In order to get rid of this warning, you simply need to delete the old key from your ~/.ssh/known_hosts file. This can be done either by deleting the entry manually or with the following command

ssh-keygen -R login.phys.ethz.ch

for the machine you try to ssh into.

On the next SSH connection you will be prompted to accept the new key. Power users may also download the full list of SSH keys of all our managed Linux computers.

Tags:

Leave a Reply

You must be logged in to post a comment.