CSIL: Remote Host Id Changed
The scary REMOTE HOST ID CHANGED message with mention of SOMETHING NASTY
What does this mean?
Suppose you are trying to ssh into csil.cs.ucsb.edu
, and you see the following
thing pop up on your screen:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ab:cd:ef:12:34:56:78:90:ab:cd:ef:01:23:7:55:68.
Please contact your system administrator.
Add correct host key in /Users/ChrisGaucho/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/ChrisGaucho/.ssh/known_hosts:12
RSA host key for csil.cs.ucsb.edu has changed and you have requested strict checking.
Host key verification failed.
It is possible but not very likely, that someone is launching a man-in-the-middle attack on your connection to CSIL.
Far more likely: the Engineering staff has replaced the physical hardware for the machine known as csil.cs.ucsb.edu with another machine.
Here’s what you should do:
-
First, starting with Fall 2016, you probably shouldn’t be accessing
csil.cs.ucsb.edu
in the first place. You can, but instead, use csil-01.cs.ucsb.edu,csil-02.cs.ucsb.edu
, etc. throughcsil-48.cs.ucsb.edu
. You’ll likely get better performance. -
Despite what the message says, you don’t need to contact the system administrator.
-
Instead, just delete the
known_hosts
file that the system tells you contains the problem. The system will recreate the file for you:E.g. in the message above, the file is:
/Users/ChrisGaucho/.ssh/known_hosts
The file in your message will be different, but will have a similar name. Find this file on your system, and delete it.
What is this known_hosts
file, and why am I deleting it?
What this file contains are numbers that get cached when you answer yes
to this question, which you get asked, once, the first time you connect to
any system over ssh:
The authenticity of host 'csil.cs.ucsb.edu (128.111.43.14)' can't be established.
RSA key fingerprint is 4a:0e:85:b5:7c:c4:1c:af:3f:02:c5:75:61:da:ae:55.
Are you sure you want to continue connecting (yes/no)?
If you were paranoid, or your ssh connection were likely to contain sensitive
information that made it the target of
state-sponsored surveillance or hackers connected to organized crime, you might
send a highly trusted and armed person over to Harold Frank Hall to verify using
paper, or carrier pigeon, or some other secure form of communication, that
this RSA key fingerprint, 4a:0e:85:b5:7c:c4:1c:af:3f:02:c5:75:61:da:ae:55
was indeed the correct one.
But it is far more expedient to simply “assume” it is correct, and let the system
store it in the known_hosts
file, where you’ll never hear another peep about it
unless and until the number changes again.
When you get rid of this file, the system will ask you about each host again the
first time you connect to it. It will take a while to build up all of the
known_host
RSA key fingerprints again. But then, you’ll be golden—at least
until the next major hardware upgrade to all the systems to which you connect.