SecureShell: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
Verify remote host SSH fingerprint: Update documentation for verifying SSH host keys. Add info about "REMOTE HOST IDENTIFICATION HAS CHANGED!" warning.
 
Line 42: Line 42:


==Verify remote host SSH fingerprint==
==Verify remote host SSH fingerprint==
The SSH protocol relies on host keys to verify the identify of a given host.  Each host as a unique key for the various different protocols supported. 


When connecting to a remove host for the first time, or when the remote host's local host key configuration has changed, you may see the following prompt:
The SSH protocol relies on host keys to verify the identity of a given host.  Each host has a unique key for the various different protocols supported. 
 
When connecting to a remote host for the first time, you may see the following prompt:
 
<pre>
<pre>
$ ssh username@nexusgroup.umiacs.umd.edu
$ ssh username@nexusstaff.umiacs.umd.edu                  
The authenticity of host 'nexusgroup.umiacs.umd.edu (128.8.121.73)' can't be established.
The authenticity of host 'nexusstaff.umiacs.umd.edu (128.8.132.230)' can't be established.
RSA key fingerprint is 25:83:aa:df:f5:ad:5f:08:c9:8a:a3:5d:97:8b:48:1f.
ED25519 key fingerprint is: SHA256:N8+6sOAdq1NwvrpdHehe5MjQdnscNTBxvncqlHpt94o
Are you sure you want to continue connecting (yes/no)?
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
</pre>
</pre>
It is considered best practice to verify the key fingerprint with the actual key of the host.  UMIACS maintains a reference of SSH key fingerprints available at the following link:
https://intranet.umiacs.umd.edu/hostkeys


It is important to note that each key type has a different fingerprint. Depending on your local configuration, your client may prefer a specific type of key. The following commands can be used to determine the fingerprint of a given key type on a remote host:
It is considered best practice to verify the key fingerprint with the actual key of the host. It is important to note that each key type has a different fingerprint. Depending on your local configuration, your client may prefer a specific type of key. The following commands retrieves all SSH public host keys from the server and prints out the fingerprints of each key in the MD5 format:


<pre>
<pre>
$ ssh-keyscan -t rsa nexusgroup.umiacs.umd.edu > key
$ ssh-keyscan nexusstaff.umiacs.umd.edu > key
# nexusgroup.umiacs.umd.edu:22 SSH-2.0-OpenSSH_8.0
$ ssh-keygen -l -E md5 -f key                        
$ ssh-keygen -l -E md5 -f key
3072 MD5:aa:8f:e7:95:3f:ee:7c:23:0f:6f:9a:64:78:49:25:37 nexusstaff.umiacs.umd.edu (RSA)
2048 MD5:25:83:aa:df:f5:ad:5f:08:c9:8a:a3:5d:97:8b:48:1f nexusgroup.umiacs.umd.edu (RSA)
256 MD5:34:29:ea:73:98:98:e0:7b:d4:c3:83:50:bc:cb:b3:61 nexusstaff.umiacs.umd.edu (ECDSA)
256 MD5:02:50:b3:3e:d7:65:fb:08:54:30:f3:8d:7d:48:02:fc nexusstaff.umiacs.umd.edu (ED25519)
</pre>
</pre>
UMIACS maintains a reference of SSH key fingerprints available at the following link:
https://intranet.umiacs.umd.edu/hostkeys


If you have any questions, or notice a discrepancy, please [[HelpDesk | contact staff]].
If you have any questions, or notice a discrepancy, please [[HelpDesk | contact staff]].
Line 75: Line 80:
* [https://winscp.net/eng/docs/faq_hostkey WinSCP]
* [https://winscp.net/eng/docs/faq_hostkey WinSCP]
* [https://mobaxterm.mobatek.net/ MobaXterm]
* [https://mobaxterm.mobatek.net/ MobaXterm]
==Remote Host Identification Has Changed==
If a host key has changed since you last connected, you may see the following warning:
<pre>
$ ssh username@nexusstaff.umiacs.umd.edu                 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:N8+6sOAdq1NwvrpdHehe5MjQdnscNTBxvncqlHpt94o.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/username/.ssh/known_hosts:86
Host key for nexusstaff.umiacs.umd.edu has changed and you have requested strict checking.
Host key verification failed.
</pre>
By default, SSH clients should refuse to connect when a remote host key has changed. If you see this warning, follow the instructions below to resolve.
# [[#Verify remote host SSH fingerprint | Verify]] that the new fingerprint matches the fingerprint we publish at https://intranet.umiacs.umd.edu/hostkeys.
# Once verified, open the known_hosts file and go to the line referenced in the warning (in this example, /Users/username/.ssh/known_hosts at line 86) and remove the entry. Next time you connect, it will prompt you as if it were your first time connecting to the host.
<strong>NOTE:</strong> This may need to be repeated if your known_hosts file has multiple types of keys for this host.


==Long Running Processes==
==Long Running Processes==

Latest revision as of 22:05, 9 July 2026

Secure Shell (or SSH) is a network protocol allowing two computers to exchange data securely over an insecure network. By default, use of SSH brings the user to a terminal, but the protocol can be used for other types of data transfer such as SFTP and SCP.

Connecting to an SSH Server

Under Linux and macOS, the following command from a terminal will connect a client computer to the UMIACS Nexus.

# ssh username@nexusgroup.umiacs.umd.edu
Note: Your Nexus submission node will vary depending on your sponsorship. See Nexus Access for more information.

This will give you access to a terminal on any one of the Nexus servers. Note that by default you will not have access to applications that require X11 to run.

All UMIACS-supported Windows hosts are installed with PuTTY. If you are using a personal machine, you can either download and install PuTTY yourself, or if you are running a currently supported version of Windows, you can install the OpenSSH client natively in Windows by following Microsoft's instructions here. Only the client is needed and not the server.

X11 Forwarding

By default, SSH only gives the user shell access to a host. Enabling X11 Forwarding allows users to run applications with Graphical User Interfaces.

Under Linux and macOS, the following command from a terminal will connect a client computer to the UMIACS Nexus using X11 Forwarding. Please note that under macOS, xQuartz is required on the client machine to forward X sessions from the remote session.

# ssh -Y username@nexusgroup.umiacs.umd.edu
Note: Your Nexus submission node will vary depending on your sponsorship. See Nexus Access for more information.

Under Windows, you will need to forward X through VcXsrv or another X11 application.

If using PuTTY, you will need to enable X forwarding. The option is under Connection > SSH > X11, shown below.

Enabling X11 Forwarding in PuTTY settings

If using the Windows Terminal app, you will need to set an environment variable and then relaunch the app.

setx.exe DISPLAY "127.0.0.1:0.0"

After this has been done, every time you want to use X forwarding, you need to make sure VcXsrv or your other application has been started. If using VcXsrv, there will be an icon in your system tray.

You will now be able to use Xwindow programs from your SSH client.

SSH Tunneling

You can tunnel one or more ports through an SSH connection such that your packets will look like they are coming from the host you are tunneling to. This is helpful for services that you would be normally blocked by a firewall.

Please see the SecureShellTunneling page for more information.

SSH Keys (and Passwordless SSH)

SSH can utilize public key encryption to authenticate and authorize users. This can be considered more secure especially if you secure your private key with a pass-phrase. The keys themselves are not susceptible to brute force attacks like normal passwords over SSH are.

Please see the SSH/Keys page for more information.

Note: UMIACS still requires multi-factor authentication if you are connecting from the public internet or a VPN for security reasons. SSH keys can only be used when connecting to a UMIACS-supported host from another host already within UMIACS' network border.

Verify remote host SSH fingerprint

The SSH protocol relies on host keys to verify the identity of a given host. Each host has a unique key for the various different protocols supported.

When connecting to a remote host for the first time, you may see the following prompt:

$ ssh username@nexusstaff.umiacs.umd.edu                    
The authenticity of host 'nexusstaff.umiacs.umd.edu (128.8.132.230)' can't be established.
ED25519 key fingerprint is: SHA256:N8+6sOAdq1NwvrpdHehe5MjQdnscNTBxvncqlHpt94o
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

It is considered best practice to verify the key fingerprint with the actual key of the host. It is important to note that each key type has a different fingerprint. Depending on your local configuration, your client may prefer a specific type of key. The following commands retrieves all SSH public host keys from the server and prints out the fingerprints of each key in the MD5 format:

$ ssh-keyscan nexusstaff.umiacs.umd.edu > key
$ ssh-keygen -l -E md5 -f key                         
3072 MD5:aa:8f:e7:95:3f:ee:7c:23:0f:6f:9a:64:78:49:25:37 nexusstaff.umiacs.umd.edu (RSA)
256 MD5:34:29:ea:73:98:98:e0:7b:d4:c3:83:50:bc:cb:b3:61 nexusstaff.umiacs.umd.edu (ECDSA)
256 MD5:02:50:b3:3e:d7:65:fb:08:54:30:f3:8d:7d:48:02:fc nexusstaff.umiacs.umd.edu (ED25519)

UMIACS maintains a reference of SSH key fingerprints available at the following link: https://intranet.umiacs.umd.edu/hostkeys

If you have any questions, or notice a discrepancy, please contact staff.

Windows / PuTTY Verification

If you use PuTTY to connect to remote hosts, the prompt will be similar to the following:

PuTTY SSH host key prompt

If the host key reported by PuTTY matches the Documented entry for that host, it is safe to click 'yes'. If you notice a discrepancy, please contact staff.

Other Platforms

Remote Host Identification Has Changed

If a host key has changed since you last connected, you may see the following warning:

$ ssh username@nexusstaff.umiacs.umd.edu                   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:N8+6sOAdq1NwvrpdHehe5MjQdnscNTBxvncqlHpt94o.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/username/.ssh/known_hosts:86
Host key for nexusstaff.umiacs.umd.edu has changed and you have requested strict checking.
Host key verification failed.

By default, SSH clients should refuse to connect when a remote host key has changed. If you see this warning, follow the instructions below to resolve.

  1. Verify that the new fingerprint matches the fingerprint we publish at https://intranet.umiacs.umd.edu/hostkeys.
  2. Once verified, open the known_hosts file and go to the line referenced in the warning (in this example, /Users/username/.ssh/known_hosts at line 86) and remove the entry. Next time you connect, it will prompt you as if it were your first time connecting to the host.

NOTE: This may need to be repeated if your known_hosts file has multiple types of keys for this host.

Long Running Processes

If you are dealing with a long running process that is inhibiting your ability to work regularly, you may want to run your processes inside a screen on the host that you're connecting to. This way, if the connection is dropped for any reason the screen session will automatically detach on the host and will continue running so that you can reattach it at a later time when you've connected again. Please see our documentation on GNU Screen for more information.

Further Information