==========
SSH Errors
==========

.. important:: On 2020/10/01, the CS department changed host keys to strengthen security.

The CS IT staff has recently updated the SSH subsystems. This update will have
an effect on the SSH client used to connect to the CS systems, including
OpenStack virtual machines and the multilab systems. The previous method of host
identification is outdated and less secure than newer methods (we are now using
ed25519 changing from rsa).

SSH uses a process of identification using keys, much like the ones used to identify
websites that you connect to using "https". When the key that is used to
identify the computer changes the SSH client sees that the identification has
changed and will issue a warning.

These warnings are rare and should cause concern when they are presented. If you
are presented with one of these messages indicating the remote host
identification has changed and are concerned about it, please contact us at
help@cs.uky.edu.

Terminal Connections
++++++++++++++++++++

When you connect via a terminal to a Computer Science machine you may be
presented with a message similar to the one below:

.. code-block:: shell

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ED25519 key sent by the remote host is
    SHA256:KZ5RxlkdjfasXhcCVsnNHlH6pSCe3pijvE19oGXcB8ruA.
    Please contact your system administrator.
    Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /Users/username/.ssh/known_hosts:22
    ED25519 host key for pen.cs.uky.edu has changed and you have requested strict checking.
    Host key verification failed.



or



.. code-block:: shell

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ED25519 key sent by the remote host is
    SHA256:KZ5yL6ArrAXhcCVsnNHlH6pSCe3pijvE19oGXcB8ruA.
    Please contact your system administrator.
    Add correct host key in /path/to/home/username/.ssh/known_hosts to get rid of this message.
    Offending RSA key in /path/to/home/username/.ssh/known_hosts:35
      remove with:
      ssh-keygen -f "/path/to/home/username/.ssh/known_hosts" -R "hostname"
    ED25519 host key for nickel has changed and you have requested strict checking.
    Host key verification failed.
    To resolve this a new key will need to be obtained from the host and the old key
    needs to be removed.



Removing old keys
.................

If your SSH client supports it you can run the command indicated in the
second message from above.

.. code-block:: shell

   ssh-keygen -f "/path/to/home/username/.ssh/known_hosts" -R "hostname"



Some SSH clients do not support removing keys with ssh-keygen, on those systems
you will need to manually edit the 'known_hosts' file. The exact line with the
offending key is indicated in the above message like this ```Offending RSA key
in /path/to/home/username/.ssh/known_hosts:35``` which indicates the key is on
line 35 of 'known_hosts'. Edit the file, removing line 35, and save it.
Performing one of the above methods will allow your client to get the new key
and connect successfully to the remote host.

Bitvise, Putty, & Others
++++++++++++++++++++++++

GUI SSH clients will have a pop-up prompt with either an informational message
indicating the host has a new key or an indication that a new key was presented
to the client. In all the GUI applications tested there is a button located on
this pop-up which allows you to accept the new key and store it in the clients
cache.




.. figure:: _images/bitvise_ssh.png
   :scale: 70%
   :alt: Bitvise error message

   Bitvise - New host key pop-up



.. figure:: _images/putty_ssh.png
   :scale: 70%
   :alt: Putty error message

   Putty - New host key pop-up


If you run into any error like the one below, indicating key exchange alogrithm 
(or cypher) could not be agreeed on or negotiated you will need to upgrade your
client.

.. figure:: _images/putty_error.png
   :scale: 70%
   :alt: Couldn't agree a key exchange algorithm

   Putty - error message


To download an updated client for Putty, go here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

For Bitvise, go here: https://www.bitvise.com/download-area

Here are some other common SSH Clients:

- `MobaXterm <https://mobaxterm.mobatek.net/>`_
- `TeraTerm <https://tera-term.en.lo4d.com/windows>`_
- `SecureCRT <https://www.vandyke.com/products/securecrt/>`_
- `XShell <https://www.netsarang.com/en/free-for-home-school/>`_