Information for: DEVELOPERS   PARTNERS

SSH and RSA key warnings after a server relaunch

Every server with SSH capabilities has a unique RSA key fingerprint. Frequently, when relaunching a server, the RSA key fingerprint changes because the server is running on completely new hardware after the relaunch. When you try to connect to this server using SSH after a relaunch, you may see messages like the following:

eavesdropping on you right now (man-in-the-middle attack)! It is also
possible that a host key has just been changed. The fingerprint for the RSA
key sent by the remote host is [truncated]. Please contact your system
administrator. Add correct host key in /home/username/.ssh/known_hosts to
get rid of this message. Offending RSA key in
/home/username/.ssh/known_hosts:24 Password authentication is disabled to
avoid man-in-the-middle attacks. Keyboard-interactive authentication is
disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to
avoid man-in-the-middle attacks.

While this warning message sounds dire, it is frequently harmless and can be disregarded. In most cases, the only change is innocuous: a change to the server hardware.

To prevent the warning message from recurring, use one of the following methods:

  • Remove the outdated host key using ssh-keygen.

    Run the following command to remove the RSA fingerprint for the previous hardware:

    ssh-keygen -R [hostname]

    where [hostname] is the hostname for your previous server.

  • Edit or remove the known_hosts file.

    On a UNIX system, you can remove the file ~/.ssh/known_hosts entirely; however, removing this file will cause every server you SSH into to prompt you to accept new keys. You can instead edit the known_hosts file and remove the old server key. Ensure you back up the file before you edit it.

    Windows users may find the same file at c:\users\username\.ssh\known_hosts, especially if you are using something like Git Bash.

  • Turn off StrictHostKeyChecking.

    Add StrictHostKeyChecking no to your ~/.ssh/config file, or -o StrictHostKeyChecking=no to the SSH command. Note that globally disabling StrictHostKeyChecking can have negative security implications.

Contact Acquia Support if you want to verify the fingerprint of a server.

The next time you sign in after removing the outdated known_hosts entry, you will see a prompt asking you to approve adding the new RSA key fingerprint to your list of known hosts.