modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Resolve the bastion host key change warning

Open gfou-al opened this issue 3 years ago • 1 comments

User Story

New bastion 2.0.2 is re-created on daily basis. The result is that when the user SSH to the bastion, he/she has to remove the old host key from known_hosts every time bastion is reset:

ssh sprinkler-sandbox-bastion
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:EFrOMMDrFFu37+1oISNRxSvKRKM+XhYg1qVpTaeQlas.
Please contact your system administrator.
Add correct host key in /Users/george.fountopoulos/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/george.fountopoulos/.ssh/known_hosts:12
ECDSA host key for sprinkler-sandbox-bastion has changed and you have requested strict checking.
Host key verification failed.

This might be annoying for the end user.

The relevant bastion documentation for end users might need to be updated: https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-ec2s.html#using-a-bastion-for-older-ami-images

We need to find a way to deal with this. One solution might be: https://superuser.com/questions/141344/dont-add-hostkey-to-known-hosts-for-ssh

Value

Questions / Assumptions

Definition of done

  • [ ] readme has been updated
  • [ ] user docs have been updated
  • [ ] another team member has reviewed
  • [ ] tests are green

Reference

How to write good user stories

gfou-al avatar Nov 25 '21 09:11 gfou-al

I just execute ssh-keygen -R dev-bastion every morning 🤷‍♂️. With a bit more thought this could easily be added to a "forget and connect" script.

I also have StrictHostKeyChecking accept-new in my ssh config. I know that's not ideal, but I'm not sure I'd know if someone was spoofing the connection anyway.

jemnery avatar Nov 26 '21 09:11 jemnery

https://github.com/ministryofjustice/modernisation-platform/pull/2181

gfou-al avatar Aug 25 '22 16:08 gfou-al

Opened a related issue: https://github.com/ministryofjustice/modernisation-platform/issues/2185

gfou-al avatar Aug 30 '22 08:08 gfou-al