SCIAMA

High Performance Compute Cluster

Menu
  • Home
  • Getting Started
    • How to get an account
    • How to Log in
    • Log in from Windows
    • Using X2Go
    • Create an SSH key pair
    • SSH Fingerprints
    • Using SSH keys
    • Training Exercises
    • Slurm MPI Batch Script
  • Using SCIAMA
    • Using Jupyter Notebooks
    • Using JupyterHub
    • Using Spyder
    • Storage Policy
    • Submitting jobs
    • Using GPUs
    • Using Matlab
    • Using Conda Environments
    • SLURM for PBS Users
    • File transfers
    • GitHub/BitBucket
    • Cloud Backup
    • Reserving Compute Nodes
    • Acknowledging SCIAMA
  • Resources
    • Hardware
    • Queues
    • Software
      • Using Software Modules
      • Changing Default Modules
      • Mixing MPI and OpenMP
      • Using CONDA
  • System Status
    • Core Usage
    • Disk Usage
    • Users Logged In
    • Jobs Status
    • Jobs by Group
    • Node Status
    • SCIAMA Grafana Dashboard
    • Maintenance and Outages
  • Contact Us

SSH Fingerprints

Sciama like most other servers uses the S(ecure)SH(ell) protocol to allow users to work on it from a remote computer. The connection is encrypted to ensure that nobody can intercept and alter the commands sent to Sciama or the output sent back to the user once the connection is established. But one of the weak spots in the system is to ensure that you are actually connected to the right server. So-called 'Man-in-the-middle' attacks can reroute your connection through a third server which then works as a relay between you and your target, but listens and potentially alters data exchanged between the user and Sciama.

This is why a digital fingerprint is provided when you log into a server. If you haven't logged on to the server before from your current computer, this fingerprint will be presented to you and you need to confirm its authenticity (see below on how to do so).

The authenticity of host ‘login4.sciama.icg.port.ac.uk (148.197.10.71)’ can’t be established.
RSA key fingerprint is SHA256:zELprgvBZmyQRQ5/6/a58e3e660bR3lJZItu18pnZcg.
RSA key fingerprint is MD5:5f:ac:29:ac:7e:c6:73:65:98:59:f1:8f:df:e3:15:ba.
Are you sure you want to continue connecting (yes/no)? yes

Confirm this to complete the log-in. Now we have to verify that the presented fingerprint actually belongs to the target server we wanted to log into (and not to some 'man-in-the-middle' relay eavesdropping on our connection). To do so, simply type into the command line on the login server :-

ssh-keygen -E md5 -lf /etc/ssh/ssh_host_rsa_key.pub

It should present you an output like

2048 5f:ac:29:ac:7e:c6:73:65:98:59:f1:8f:df:e3:15:ba /etc/ssh/ssh_host_rsa_key.pub (RSA)

which confirms (by comparing with the MD5 fingerprint from your login) that the fingerprint actually originated from the target server and that the encryption between it and the user is not compromised.

Once you have logged in for the first time, this fingerprint will be stored on your local computer and you should never be asked about it again as long as the login server does not change (e.g. by reinstallation). Otherwise you may see an error message like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:zELprgvBZmyQRQ5/6/a58e3e660bR3lJZItu18pnZcg.
Please contact your system administrator.
Add correct host key in $HOME/.ssh/known_hosts to get rid of this message.
Offending RSA key in $HOME/.ssh/known_hosts:24
RSA host key for login4.sciama.icg.port.ac.uk has changed and you have requested strict checking.
Host key verification failed.

If you are not aware of any reinstallation of the login servers that may have triggered this change of fingerprint, please be VERY cautious here and contact the SCIAMA support team immediately. If you happen to know that the fingerprint has changed then follow the instructions and remove the fingerprint in question from the $HOME/.ssh/known_hosts file on your computer. When you log in know, the login server should be treated as a previously unknown server and you will be presented with the new fingerprint that you can then verify as described above.

Top of Page

Copyright © 2022 ICG, University of Portsmouth