[ucc] SSH changes: why you can't connect and how to fix it

Daniel Axtens danielax at gmail.com
Wed Mar 9 00:33:22 WST 2011 

Hi all,

ssh.ucc has been changed over from pointing at martello to pointing at motsugo. This is in line with the plan to retire martello.

However, this breaks SSH known-hosts check for anyone who connects to ssh.ucc. Rather than connecting, SSH will complain loudly with something like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
...snip...
RSA host key for ssh.ucc.asn.au has changed and you have requested strict checking.
Host key verification failed.

To fix this, follow the following procedure:

== Mac OS X/Linux ==

Run the following commands. They'll have to be run by every user that connects (so if you have a shared machine, each user will have to do it for themselves, sorry.)

ssh-keygen -R ssh.ucc.asn.au
ssh-keygen -R ssh.ucc.gu.uwa.edu.au
ssh-keygen -R ssh
ssh-keygen -R 130.95.13.11

Then reconnect. You will be asked if you wish to trust the server. Say yes. [FWIW, the fingerprint reported to me is 8f:7e:8c:c9:65:e1:41:c4:ff:6c:af:c4:46:01:b8:60. If a different fingerprint is reported to you, be suspicious.]

== PuTTY ==

According to the PuTTY documentation, PuTTY will allow you to change the host key without editing anything (which is useful, because putty stores this data in the registry). I assume (but I haven't been able to check because I don't use putty, sorry!) that you can tell it to accept the new key as trusted. 

[FWIW, the fingerprint reported to me is 8f:7e:8c:c9:65:e1:41:c4:ff:6c:af:c4:46:01:b8:60. If a different fingerprint is reported to you, be suspicious.] 

If you have any issues, please let us know and we'll provide some more helpful details!

== Conclusion ==

We hope that, after this bit of messing around, you'll find the new server much more reliable. We apologise for the inconvenience

Best regards,
[DJA]
UCC Wheel member, OCM 2011
(on behalf of whoever changed it and didn't email)

More information about the ucc mailing list