Known Hosts and SSH Keys

Known Hosts

The authenticity of host ‘debian.eskimo.com (66.114.134.203)’ can’t be established.
ED25519 key fingerprint is SHA256:rroEtbPOwxC7+3hkdlzjc6/2q+0uqVUXaxwSn1NOpv0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Respond Yes.

If we have re-installed a system the old host keys will be replaced with new keys.  In this case if you have previously connected you will get a message like this:

ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
ERROR: Someone could be eavesdropping on you right now (man-in-the-middle attack)!
ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the ECDSA key sent by the remote host is
ERROR: SHA256:uMN7fJ633Pnr0vHy5JTh8n0JBzexlWgD/BEEX6Qx9e8.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /home/nanook/.ssh/known_hosts to get rid of this message.
ERROR: Offending ECDSA key in /home/nanook/.ssh/known_hosts:194
ERROR: remove with:
ERROR: ssh-keygen -f ‘/home/nanook/.ssh/known_hosts’ -R ‘debian.eskimo.com’
ERROR: Host key for debian.eskimo.com has changed and you have requested strict checking.
ERROR: Host key verification failed.

In this case on your machine type: ssh-keygen -f ‘/home/nanook/.ssh/known_hosts’ -R ‘debian.eskimo.com’

Substitute your home directory for /home/nanook and substitute the hostname you are trying to connect to for ‘debian.eskimo.com’.

Once you do this our machine will be unknown to you and you will get the message up above and then just accept to add to your ,known_hosts when prompted.

Note, some people are concerned that they might be connecting to the wrong host.  We take precautions to prevent our name servers from being poisoned.  We have a stealth master server, that is a DNS server not visible to the outside world and all of our slave name servers only accept updates from it.

Our hosts will all have IPv4 addresses in the range of 66.114.134.193-224 and ipv6 addresses in  2001:560:4407:1::/64 subnet.

SSH Keys

SSH Keys allow you to authenticate using a cryptographic signature rather than using a password.  This allows you to connect without using a password.

To use ssh keys first you need to generate a key, to do this use ssh-keygen, I recommend using ed25519 keys.  None of the keys currently offered are post quantum safe so new keys will be available in the future, but as of this writing ed25519 is the stongest, so invoke ssh-keygen with:

     ssh-keygen -t ed25519

then hit enter to default all the questions.  Do not assign a password or pass phrase unless you want to have to type it when you connect.

After creating a key you will then want to copy it to the host you wish to connect to, to do this use:

     ssh-copy-id user@hostname.eskimo.com

Our host will then prompt for your password, if typed successfully it will then store a copy of your key in your home directory under .ssh and then you will be able to connect just using ssh without a password:

     ssh user@hostname.eskimo.com