New Linprog Certificates

New Linprog Certificates

Eight brand new servers replaced aging four linprog servers. Along with the hardware update, new OS was installed on each new server. The SSH security certificates were changed too. If you had logged into the Linprog servers before December 2016, your SSH client has probably cached old versions of the certificates, and they will need to be removed so that your client does not complain about a “man-in-the-middle” attack.

If you are using a command-line OpenSSH client (most Macs, Linux, and Cygwin installations), evidence of an old cached certificate will look something like this when you attempt to connect:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d2:5f:6c:b7:1c:4a:14:11:e5:a0:3d:8d:86:74:b3:b8.
Please contact your system administrator.
Add correct host key in [filename] to get rid of this message.
...

Older versions of OpenSSH kept client certificate data in a cleartext format in ~/.ssh/known_hosts. You could edit this file with your favorite text editor and remove lines containing ‘linprog’ or the IP address of the servers. Newer versions of OpenSSH keep the data in a hashed format, and identifying which lines belong to the linprog servers is not possible. Instead, you may use the ssh-keygen utility to remove the cached certificate.

Inside the CS Department Network (TCSH)

If you log into shell.cs.fsu.edu, you could remove the old certificates from your CS home directory with a few lines of shell script. For the TCSH shell (the default for most CS users), the script looks like:


foreach n ( 1 2 3 4 )
  ssh-keygen -R linprog$n
  ssh-keygen -R linprog$n.cs.fsu.edu
end
ssh-keygen -R linprog
ssh-keygen -R linprog.cs.fsu.edu
foreach n ( 33 34 35 36 )
  ssh-keygen -R 128.186.120.$n
end

These commands will remove entries for each LinProg server, the generic name which randomly assigns users to one of the servers, and entries which use the IP address instead of the machine name. (You may not have cached entries for all of these.)

Outside the CS Department Network (Bash)

If you are logging in from a computer outside of the CS department network, the IP numbers will be different. Assuming you are running a Bash shell from this outside machine, the script will look like this:


for n in 1 2 3 4 ; do
  ssh-keygen -R linprog$n
  ssh-keygen -R linprog$n.cs.fsu.edu
done
ssh-keygen -R linprog
ssh-keygen -R linprog.cs.fsu.edu
for n in 24 25 26 27; do
  ssh-keygen -R 128.186.122.$n
done

Windows and PuTTY

If you are running a SSH client from a Windows machine outside the CS department network, the method of removing cached certificates will depend upon the client you’re using. If you’re running PuTTY, you’ll need to edit the registry. First, run regedit. Then go to


HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

Delete any keys in the ‘name’ column that refer to 128.186.122.{24,25,26,27} or 128.186.120.{33,34,35,36}, or linprog.

Windows and Secure Shell

If you are running the Secure Shell client, you can go to ‘Edit->Settings->Global Settings->Server Authentication’, then click on ‘Host Keys’. Click on any ‘linprog’ entries and any of their IP numbers and then click ‘Delete’.

Note: The Windows “Secure Shell” client has not been updated in a long time. The ciphers and key exchange protocols that it uses are disabled by default on new installations of OpenSSH server software. As system administrators update their servers over time, the client may stop working. Users should transition to other SSH clients.