You are here

SSH clients complain about Sandcastle Host Key

In August 2019 we upgraded our departmental Linux server (Sandcastle) and choose to generate stronger encryption keys for the key exchange that occurs in SSH connections. This means that the keys which had previously been save in client programs from before that transition occured are invalid and clients should inform the user that something has happened to change the security settings of the server.

It seems that, dependent on the version of PuTTY (popular Windows SSH client), the program may just present a prompt that there is a new key and ask for confirmation. It is important to make sure that the new key which is presented is valid (for key fingerprints please consult our security page).

For openssh clients (including our lab computers when booted into Linux), the client actually rejects the new connection until the invalid key is deleted from the cache file. The message it returns will be similar to the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed. 
The fingerprint for the RSA key sent by the remote host is 
10:76:c9:0e:1b:5d:bb:1c:37:15:65:a2:78:a0:d7:21. 
Please contact your system administrator. 
Add correct host key in /home/student/username/.ssh/known_hosts to get rid of this message. 
Offending key in /home/student/username/.ssh/known_hosts:1 
RSA host key for sandcastle has changed and you have requested strict checking. 
Host key verification failed.

In order to correct this issue, go to the client computer (the one that cannot connect) and edit the file ~/.ssh/known_hosts by finding the entry in that file which starts with either sandcastle, or 139.57.100.6 and deleting that entry (just the single line in case you have many) from the known_hosts file. Once done you should be able to connect to Sandcastle and will be presented with the new key to accept into the known_hosts file. It is important that you make sure that the new key which is presented is valid (for key fingerprints please consult our security page).

If you have further questions or concerns about this change, please email labadmin@cosc.brocku.ca from your Brock email account.

Sorry any inconvenience this issue has caused.