SSH Errors

Important

On 2020/10/01, the CS department changed host keys to strengthen security.

The CS IT staff has recently updated the SSH subsystems. This update will have an effect on the SSH client used to connect to the CS systems, including OpenStack virtual machines and the multilab systems. The previous method of host identification is outdated and less secure than newer methods (we are now using ed25519 changing from rsa).

SSH uses a process of identification using keys, much like the ones used to identify websites that you connect to using “https”. When the key that is used to identify the computer changes the SSH client sees that the identification has changed and will issue a warning.

These warnings are rare and should cause concern when they are presented. If you are presented with one of these messages indicating the remote host identification has changed and are concerned about it, please contact us at help@cs.uky.edu.

Terminal Connections

When you connect via a terminal to a Computer Science machine you may be presented with a message similar to the one below:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:KZ5RxlkdjfasXhcCVsnNHlH6pSCe3pijvE19oGXcB8ruA.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/username/.ssh/known_hosts:22
ED25519 host key for pen.cs.uky.edu has changed and you have requested strict checking.
Host key verification failed.

or

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:KZ5yL6ArrAXhcCVsnNHlH6pSCe3pijvE19oGXcB8ruA.
Please contact your system administrator.
Add correct host key in /path/to/home/username/.ssh/known_hosts to get rid of this message.
Offending RSA key in /path/to/home/username/.ssh/known_hosts:35
  remove with:
  ssh-keygen -f "/path/to/home/username/.ssh/known_hosts" -R "hostname"
ED25519 host key for nickel has changed and you have requested strict checking.
Host key verification failed.
To resolve this a new key will need to be obtained from the host and the old key
needs to be removed.

Removing old keys

If your SSH client supports it you can run the command indicated in the second message from above.

ssh-keygen -f "/path/to/home/username/.ssh/known_hosts" -R "hostname"

Some SSH clients do not support removing keys with ssh-keygen, on those systems you will need to manually edit the ‘known_hosts’ file. The exact line with the offending key is indicated in the above message like this `Offending RSA key in /path/to/home/username/.ssh/known_hosts:35` which indicates the key is on line 35 of ‘known_hosts’. Edit the file, removing line 35, and save it. Performing one of the above methods will allow your client to get the new key and connect successfully to the remote host.

Bitvise, Putty, & Others

GUI SSH clients will have a pop-up prompt with either an informational message indicating the host has a new key or an indication that a new key was presented to the client. In all the GUI applications tested there is a button located on this pop-up which allows you to accept the new key and store it in the clients cache.

Bitvise error message

Bitvise - New host key pop-up

Putty error message

Putty - New host key pop-up

If you run into any error like the one below, indicating key exchange alogrithm (or cypher) could not be agreeed on or negotiated you will need to upgrade your client.

Couldn't agree a key exchange algorithm

Putty - error message

To download an updated client for Putty, go here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

For Bitvise, go here: https://www.bitvise.com/download-area

Here are some other common SSH Clients: