09 Jun 2016

[2016] Remote Host Identification / SSH

Tags: Problems & Solutions

»All hosted and remotely managed Aegir systems will receive security update on June 19, 2016, which will affect your access via SSH and SFTP, and you will be presented with the alarming warning shown below. But there is nothing to worry about. For security reasons, we are updating OpenSSH configuration and we will intentionally re-generate all server-side keys to improve your account security. It’s possible that we will do this again in the future, but it’s very rare inconvenience — last time we did this on September 16, 2013.

$ ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:MbkMc1Cv/JlnnUAcVPL5fRzkc0cfd9FPkGReplmJ16o.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:51
ED25519 host key for my.host has changed and you have requested strict checking.
Host key verification failed.

»How to remove/fix this warning? You can either edit the ~/.ssh/known_hosts file on your computer and remove only the offending line (51 in the example above), or if you have just one or two entries in this file, just delete it, so it will be re-generated on the next SSH login attempt. NOTE: you need to do this also on all remote systems which connect to your account(s) over SSH once the update on June 19, 2016 is applied to your BOA instance.

»To apply this update on your self-hosted BOA, please make sure to have also remote console available, in case your SSH client is not compatible with optionally enhanced SSH configuration. Then add _SSH_ARMOUR=YES line in your /root/.barracuda.cnf file and run `barracuda up-head` upgrade. To revert the change, set _SSH_ARMOUR=NO and run the barracuda upgrade again. For all related details please check this article.

Create Account or request a free Test Drive
Already 900+ hosts powering thousands of Drupal sites are running on our high-performance Aegir BOA stack
© 2009-2023 Omega8.cc | ul. Zlota 59, 14th floor Skylight Building, 00-120 Warsaw, Poland | Twitter
Smokin’ Fast Drupal Hosting in Amsterdam · Chicago · Frankfurt · London
Madrid · New York · San Jose · Singapore · Sydney · Toronto · Warsaw