Information for: DEVELOPERS   PARTNERS

SSH and RSA key warnings after infrastructure relaunch

Infrastructure with SSH capabilities has a unique RSA key fingerprint. Frequently, when relaunching an infrastructure, the RSA key fingerprint changes because the infrastructure is running on completely new infrastructure after the relaunch. When you try to connect to this infrastructure using SSH after a relaunch, you may see messages like the following:

eavesdropping on you right now (man-in-the-middle attack)! It is also
possible that a host key has just been changed. The fingerprint for the RSA
key sent by the remote host is [truncated]. Please contact your system
administrator. Add correct host key in /home/username/.ssh/known_hosts to
get rid of this message. Offending RSA key in
/home/username/.ssh/known_hosts:24 Password authentication is disabled to
avoid man-in-the-middle attacks. Keyboard-interactive authentication is
disabled to avoid man-in-the-middle attacks. Agent forwarding is disabled to
avoid man-in-the-middle attacks.

While this warning message sounds dire, it is frequently harmless and can be disregarded. In most cases, the only change is innocuous: a change to the infrastructure.

To prevent the warning message from recurring, use one of the following methods:

  • Remove the outdated host key using ssh-keygen.

    Run the following command to remove the RSA fingerprint for the previous hardware:

    ssh-keygen -R [hostname]

    where [hostname] is the hostname for your previous infrastructure.

  • Edit or remove the known_hosts file.

    On a UNIX system, you can remove the file ~/.ssh/known_hosts entirely; however, removing this file will cause the infrastructure you SSH into to prompt you to accept new keys. You can instead edit the known_hosts file and remove the old infrastructure key. Ensure you back up the file before you edit it.

    Windows users may find the same file at c:\users\username\.ssh\known_hosts, especially if you are using something like Git Bash.

  • Turn off StrictHostKeyChecking.

    Add StrictHostKeyChecking no to your ~/.ssh/config file, or -o StrictHostKeyChecking=no to the SSH command. Note that globally disabling StrictHostKeyChecking can have negative security implications.

Contact Acquia Support if you want to verify the fingerprint of an infrastructure.

The next time you sign in after removing the outdated known_hosts entry, you will see a prompt asking you to approve adding the new RSA key fingerprint to your list of known hosts.