EECS Instructional Support, University of California at Berkeley
[ ISG home page ] [ who we are ] [ send us email ] [ search ] [ FAQ ]

                    University of California at Berkeley
           Department of Electrical Engineering & Computer Sciences
                        Instructional Support Group


/share/b/hostkeys/README-hostkeys.txt

								   Apr 3 2009


	  SSH public hostkeys for EECS Instructional Computers
	  ----------------------------------------------------

/share/b/hostkeys contains the public hostkeys of the EECS Instructional 
UNIX computers that allow logins over the net using 'openssh'.  These are
used to confirm the identity of a given computer when you login, for security 
purposes.

The first time you login from one computer (the "source") to another (the
"destination"), you may see a message like:

	The authenticity of host 'solar (128.32.42.39)' can't be established.
	...
or 
	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
	@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
	@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
	...

This is because either the source computer does not have a copy of the 
hostkey of the destination computer or it has a different version of it, 
so it can't verify that it is the right computer.  This may be because 
either

  1) it is the first time you are connecting to that computer
  2) the admins at that computer have changed the hostkey 
  3) the computer that is responding as the destination is an imposter

Although hostkeys are there to protect against the possibility #3, it is 
the least likely of the causes on EECS computers.  Unless you know that
#1 and #2 are not the cause, you can generally accept the new hostkey that
is offered.  You may first have to remove a copy of the old hostkey from 
your ~/.ssh/known_hosts file (see the rest of the WARNING message for
instructions).

If you are in doubt, you can compare the hostkey that is displayed in the
message with the one that we have stored on /share/b/hostkeys/openssh (also
accessible as https://inst.eecs.berkeley.edu/~inst/hostkeys/?file=openssh).
If they are the same, that confirms that the destination computer is valid.

Once you have accepted the new hostkey, it is stored in .ssh/known_hosts 
in your home directory for future reference.

For more information about SSH, please see
http://inst.eecs.berkeley.edu/cgi-bin/pub.cgi?file=ssh.help

OpenSSH:

  OpenSSH hostkeys are stored in the file .ssh/known_hosts in your UNIX 
  home directory.  You can edit that file with a text editor to remove 
  old hostkeys.  We only support OpenSSH (which is the lastest variant).

SSH1 and SSH2: 

  SSH1 and SSH2 have been discontinued on EECS systems.  These versions 
  were implemented in old versions of UNIX and in "FSecure SSH" on Windows.  

  Nathan Hunsperger prepared these scripts to update the /etc/ssh2/hostkeys 
  files on all of our UNIX systems from /share/b/hostkeys/ssh2/hostkeys:
  [THIS NEEDS TO BE UPDATED - kevinm]

  /share/b/adm/bin/rsync-ssh2-clients.csh
  /share/b/adm/bin/rsync-ssh2-servers.csh
  /share/b/adm/bin/create-ssh2-shortnames.pl

  The rsync scripts to as they imply.  The creation script takes a directory 
  full of ssh2 keys, and creates hardlinks to those keys with the machines 
  shorter names (like mamba vs mamba.cs.berkeley.edu).  All are internally 
  commented.


EECS Instructional Support Group
http://inst.eecs.berkeley.edu/