Change to SSH “RSA key fingerprint”

We’ve made a change to one of the SSH keys our servers use, and this post explains why a small number of customers may see a warning message as a result. If you don’t use SSH to connect to the command-line shell (most people don’t), you can ignore this post completely.

The change is that the RSA key has been increased in size (to 2,048 bits) to ensure that sites we host pass PCI compliance scans. (This change was unavoidable, because security companies are saying that any keys created years ago using the then-recommended size, like our previous one, must be replaced.)

Most modern SSH software now uses ECDSA keys instead of RSA keys, so this won’t affect most people. But if your SSH software still uses RSA keys, you may see a message like this:

Warning: the RSA host key for 'example.com' differs from the
key for the IP address '192.0.2.3'
Are you sure you want to continue connecting (yes/no)?

Or even more alarmingly, like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now
(man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
21:24:65:80:55:5e:8c:e2:d9:6d:21:43:ef:07:3f:21.

If you see either of these, it’s expected and okay. It’s telling you that it thinks the RSA host key has changed since the last time you connected — which it has.

If your SSH client software completely prevents you from connecting because of an existing entry in your computer’s “known_hosts” file, removing the line it mentions from that file will fix it.

The next time you connect after doing that, you’ll be prompted to add the new key. You can verify the key fingerprint it shows you on our SSH page.

Minor change to SSH settings

We’re making a minor technical change to the SSH settings our servers use, removing obsolete and insecure ciphers like “3des-cbc”.

The changes are required to ensure that sites we host pass PCI compliance scans. The obsolete ciphers allowed SSH connections that appeared to be secure, but really weren’t.

This should not affect anything for our customers who use SSH, as long as you use modern, updated SSH software. We’re just documenting it in case anyone has difficulties with SSH connections.

If you do have any trouble, the solution is almost certainly to update your SSH client software, though — the program you’re using is probably pretty outdated and may also have trouble connecting to other servers, not just ours.

As always, don’t hesitate to contact us if you have any trouble or questions.

Read the rest of this entry »