The NSLS-II Data Science and Systems Integration (DSSI) group is in the process of changing out the NSLS-II SSH gateway and updating the "fingerprint" that ensures users that they have connected to the actual NSLS-II SSH gateways and not a malicious impostor in the middle. Therefore, we are notifying all users about the new official fingerprint so that they can connect to NSLS-II systems with confidence.
What We are Doing
The NSLS-II SSH gateways are the hosts identified by ssh.nsls2.bnl.gov and make up the service you use to "jump" into the Science Network to access beamline hosts or infrastructure. We are using a new group of upgraded hosts within the NSLS-II network to better manage our network and traffic.
What It Means to Users
This change means that the first time you connect to the new group (use ssh.nsls2.bnl.gov) from a host as either a first step or a jump, you might see a message that looks like this:
```
feynman@host ~> ssh feynman@ssh.nsls2.bnl.gov
The authenticity of host 'ssh.nsls2.bnl.gov (192.203.218.31)' can't be established.
ED25519 key fingerprint is SHA256:41IwO0No8QHm6LXq7lVo74Gbk2dJZskbLWIPtD28Ay0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
```
We want users to know that it is OK to type 'yes' to allow your machine to write the new fingerprint.
If you reconnect to ssh.nsls2.bnl.gov using a computer that has connected before, you will see a stern message with a standard warning from the SSH application, quoted below:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:41IwO0No8QHm6LXq7lVo74Gbk2dJZskbLWIPtD28Ay0
Please contact your system administrator.
Add correct host key in /home/feynman/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/feynman/.ssh/known_hosts:205
Host key for ssh.nsls2.bnl.gov has changed and you have requested strict checking.
Host key verification failed.
You have two options here.
1. Remove the lines in the known_hosts file that the message mentions. That is, manually delete any lines that start with "ssh.nsls2.bnl.gov".
2. Run ssh-keygen -R ssh.nsls2.bnl.gov and the lines that mention the gateway (ssh.nsls2.bnl.gov) will automatically be removed.
For more information, see:
https://docs.nsls2.bnl.gov/docs/remote/ssh.html (BNL Domain login required)
If you have any questions on this change, please reach out to Matthew Snyder msnyder@bnl.gov or NSLS-II Data Engineering Group Lead Dan Allan dallan@bnl.gov.