modernisation-platform
modernisation-platform copied to clipboard
Resolve the bastion host key change warning
User Story
New bastion 2.0.2 is re-created on daily basis. The result is that when the user SSH to the bastion, he/she has to remove the old host key from known_hosts every time bastion is reset:
ssh sprinkler-sandbox-bastion
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:EFrOMMDrFFu37+1oISNRxSvKRKM+XhYg1qVpTaeQlas.
Please contact your system administrator.
Add correct host key in /Users/george.fountopoulos/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/george.fountopoulos/.ssh/known_hosts:12
ECDSA host key for sprinkler-sandbox-bastion has changed and you have requested strict checking.
Host key verification failed.
This might be annoying for the end user.
The relevant bastion documentation for end users might need to be updated: https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/accessing-ec2s.html#using-a-bastion-for-older-ami-images
We need to find a way to deal with this. One solution might be: https://superuser.com/questions/141344/dont-add-hostkey-to-known-hosts-for-ssh
Value
Questions / Assumptions
Definition of done
- [ ] readme has been updated
- [ ] user docs have been updated
- [ ] another team member has reviewed
- [ ] tests are green
Reference
I just execute ssh-keygen -R dev-bastion
every morning 🤷♂️. With a bit more thought this could easily be added to a "forget and connect" script.
I also have StrictHostKeyChecking accept-new
in my ssh config. I know that's not ideal, but I'm not sure I'd know if someone was spoofing the connection anyway.
https://github.com/ministryofjustice/modernisation-platform/pull/2181
Opened a related issue: https://github.com/ministryofjustice/modernisation-platform/issues/2185