Host keys for Euler login nodes

From ScientificComputing
Jump to: navigation, search

Introduction

A host key is a way to authenticate a computer through SSH to avoid man-in-the-middle attacks for instance due to intercepted network communication. When connecting to the Euler cluster for the first time, your SSH client will be presented a host key for the Euler login nodes. Please compare this key to the ones published on this wiki page and if they match accept it.

From then on, your SSH client will know the host key of Euler and you can establish secure connections to it. If your communication is intercepted and you are redirected to another host pretending to be Euler, then the host key proposed to your SSH client will not match the published key and you will receive a message

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:qdZ/jPc7HODpO2BmCtJxO51jFZVt1t6fjjbtiUAZemI.
Please contact your system administrator.
Add correct host key in /path/to/your/home/.ssh/known_hosts to get rid
of this message.
Offending RSA key in /path/to/your/home/.ssh/known_hosts:252
RSA host key for euler.ethz.ch has changed and you have requested strict
checking.
Host key verification failed.

When we replace the login nodes with new ones and the host keys for Euler change, then we will publish the new keys on this wiki page, such that users can check after getting the warning message shown above.

Currently valid keys

The MD5 and SHA256 fingerprints of the login nodes' ED25519 and RSA keys are:

ED25519:

SHA256:ontwFjITBT9rYE+4QnoN8272Q47W6OGOd5dwFfBivZ0
MD5:96:0b:48:81:89:18:d1:22:0d:e5:e0:17:7d:d9:02:d2

ECDSA:

SHA256:QpLAVp8eBluW+PU+keL3YkZr0ggU/B8wYtRp2KMuEXo
MD5:56:98:04:dd:13:00:c6:62:63:95:dc:a4:c6:b0:e7:bb

RSA:

SHA256:Em+yWIT+FDHy7kfQ9IIgdDiF2d8Q8ul36LPSjRv0yz4
MD5:4f:07:8a:47:a5:bf:c5:22:35:36:79:22:0b:36:d8:60

How to remove the old key and add the new one

Linux/Mac OS X

Please remove the old host key with the following command

ssh-keygen -R euler.ethz.ch

After removing the old host key, you need to login again, compare the displayed host key with the ones published on our wiki and accept the new one in case it is matching.

Windows

If you are using PuTTY, then you can remove the old host keys in the Windows registry.

  • Start regedit.exe
  • Navigate to HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
  • Delete the host key for euler.ethz.ch

If you are using native SSH in Windows 10, then please run the command (this is only supported in Windows 10)

ssh-keygen -R euler.ethz.ch

After removing the old host key, you need to login again, compare the displayed host key with the ones published on our wiki and accept the new one in case it is matching.

Migration to Ubuntu

Due to the migration from CentOS to Ubuntu, you might see the warning about the hostkeys. You can proactively prevent this warning by adding the fingerprints of the host keys to the file ~/.ssh/know_hosts on your local computer. If any of the lines is already in your known_hosts file, then don't add this line as no line should be appearing twice in this file.

For ED25519 keys (what most modern ssh clients will use)

euler.ethz.ch ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxvQkvInDhLK2K1kpm9SVuE6JFIS0Js2vxwH7mFA0Wn
login-centos.euler.ethz.ch ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxvQkvInDhLK2K1kpm9SVuE6JFIS0Js2vxwH7mFA0Wn
login-beta.euler.ethz.ch ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxvQkvInDhLK2K1kpm9SVuE6JFIS0Js2vxwH7mFA0Wn

For RSA keys (what old/legacy ssh clients may use)

euler.ethz.ch ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS5JwsC4/f4G2ZNPFdUFN0jnnHwaRSb6NaFZv2rAM5WYiXMmiReJ3tS7NkZYyECdwhzeS9ZdPODgp6mnMK0XRH15GnnKw9jE8Cj0WoyJVUd8hmHNiwTpYHAa0/gjONl+A+ZKYT7Z7aG2hfDRZRs6Bvnw8B8LXjgd/c7oLfjE/xbE7SVVGfJZ+waZ5MSEDmq4qj2jD0g/ERUsVZ/uimeOxkIdfyPyi6ZHylsEle4Wg3zU/0wtHOOhGdSryZ0BSHLUN0nqILsILoKHz/OpqYZFfygkPVwi1dTTPzfqzfjNI7jLlCOz1coWUswAiDaVPo35l8Q2zvHf++/69+ZvrAS2Xb
login-centos.euler.ethz.ch ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS5JwsC4/f4G2ZNPFdUFN0jnnHwaRSb6NaFZv2rAM5WYiXMmiReJ3tS7NkZYyECdwhzeS9ZdPODgp6mnMK0XRH15GnnKw9jE8Cj0WoyJVUd8hmHNiwTpYHAa0/gjONl+A+ZKYT7Z7aG2hfDRZRs6Bvnw8B8LXjgd/c7oLfjE/xbE7SVVGfJZ+waZ5MSEDmq4qj2jD0g/ERUsVZ/uimeOxkIdfyPyi6ZHylsEle4Wg3zU/0wtHOOhGdSryZ0BSHLUN0nqILsILoKHz/OpqYZFfygkPVwi1dTTPzfqzfjNI7jLlCOz1coWUswAiDaVPo35l8Q2zvHf++/69+ZvrAS2Xb
login-beta.euler.ethz.ch ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS5JwsC4/f4G2ZNPFdUFN0jnnHwaRSb6NaFZv2rAM5WYiXMmiReJ3tS7NkZYyECdwhzeS9ZdPODgp6mnMK0XRH15GnnKw9jE8Cj0WoyJVUd8hmHNiwTpYHAa0/gjONl+A+ZKYT7Z7aG2hfDRZRs6Bvnw8B8LXjgd/c7oLfjE/xbE7SVVGfJZ+waZ5MSEDmq4qj2jD0g/ERUsVZ/uimeOxkIdfyPyi6ZHylsEle4Wg3zU/0wtHOOhGdSryZ0BSHLUN0nqILsILoKHz/OpqYZFfygkPVwi1dTTPzfqzfjNI7jLlCOz1coWUswAiDaVPo35l8Q2zvHf++/69+ZvrAS2Xb