Infrastructure with SSH capabilities has a unique host key fingerprint. Frequently, when relaunching an infrastructure, the host key fingerprint changes because the infrastructure is running on completely new infrastructure after the relaunch. When you try to connect to this infrastructure using SSH after a relaunch, you may see messages like the following:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be
eavesdropping on you right now (man-in-the-middle attack)! It is also
possible that a host key has just been changed. The fingerprint for the RSA
key sent by the remote host is [truncated]. Please contact your system
administrator. Add correct host key in /home/username/.ssh/known_hosts to
get rid of this message. Offending RSA key in
/home/username/.ssh/known_hosts:24 Password authentication is disabled to
avoid man-in-the-middle attacks. Keyboard-interactive authentication is
disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to
avoid man-in-the-middle attacks.
While this warning message sounds dire, it is frequently harmless and can be disregarded. In most cases, the only change is innocuous: a change to the infrastructure.
To prevent the warning message from recurring, use one of the following methods:
Remove the outdated host key using
ssh-keygen.Run the following command to remove the host fingerprint for the previous hardware:
ssh-keygen -R [hostname]where
[hostname]is the hostname for your previous infrastructure.Edit or remove the known_hosts file.
On a UNIX system, you can remove the file
~/.ssh/known_hostsentirely; however, removing this file will cause the infrastructure you SSH into to prompt you to accept new keys. You can instead edit theknown_hostsfile and remove the old infrastructure key. Ensure you back up the file before you edit it.Windows users may find the same file at
c:\users\username\.ssh\known_hosts, especially if you are using something like Git Bash.Turn off StrictHostKeyChecking.
Add
StrictHostKeyChecking noto your~/.ssh/configfile, or-o StrictHostKeyChecking=noto the SSH command.
To verify the fingerprint of an infrastructure, create a Support ticket.
The next time you sign in after removing the outdated known_hosts entry, you will see a prompt asking you to approve adding the new host key fingerprint to your list of known hosts.
Acquia’s public SSH key fingerprints in Cloud Next
In Cloud Next environments, you can use public key fingerprints to validate a connection to a remote server. Acquia’s public key fingerprints are as follows:
| Algorithm | Key |
|---|---|
| RSA | SHA256:yxVlCD43Vt8tTJ2Q92+ySVYi8dzNOytvwrjrgBLBNHQ |
| ECDSA | SHA256:eabRcL6rQ+eo4+rc/7lUW0j8+pS+/27ufFO/9zjZepM |
| ED25519 | SHA256:x2Gqkq4ToeB8kpDjUsJNLexo94Xz5ZNCqbFEkvhWbfM |