Panix Help System: ssh: Fixing your known

SSH Host Keys:

Fixing your SSH known_hosts file

Here are instructions for obtaining the canonical SSH host keys for Panix; this will assist in increasing the security of your SSH connections. We keep sets of keys on hand in usable formats for OpenSSH, Tera Term TTSSH, Mac OS X, MacSSH, and PuTTY. If none of these formats work for your SSH client, just send us email describing your setup and error symptoms. We'll be glad to help.

For more information about SSH connections to Panix, and other account security tips, check out our Security Help index.

If you use SSH, you have to set up a key for each host you log into. The key goes into the .ssh/known_hosts file in your home directory (if on a UNIX machine, including a Mac running OS X) or in the directory specified by your SSH client as containing a known_hosts file (if Windows or older Mac).

If you're on a Unix system and aren't sure which client you're using,

 ssh -V

will tell you.

The public keys are available on our secure server. You can right-click the link (or control-click if you use a Mac) and save the key files as is; or use the "Save As" option if you prefer.

Host keys for PuTTY
Download the file, unzip it, and double-click it; Windows will do the rest. The enclosed .REG file includes RSA keys for panix2 and panix3, and DSA keys for panix1, panix2, panix3, and panix5. Unfortunately, since PuTTY doesn't support alias names for hosts, you still won't be able to use "shell.panix.com" without getting the warning message.

Host keys for MacSSH (System 9 and earlier)
This file goes into System->Preferences->MacSSH.

DSA keys
Keys for more recent SSH implementations (OpenSSH, ssh.com 2.0 and above, Mac OS X).

RSA keys
Keys for TeraTerm and other ancient SSH implementation, like the ssh.com 1.x versions ("ssh -V" reports "SSH Version 1.xx").

For most SSH implementations, you should be able to add these files directly into your ".ssh/known_hosts" file (or whatever the equivalent name is for your implementation, for example, "known-hosts" for TeraTerm). If you're on a Unix system and you don't already have a directory called .ssh you should create it and put the known_hosts file there.

Save the files as they are: DO NOT copy and paste the keys! Copy/paste operations tend to add newline characters to the keys, which makes them unusable. Use "File:Save As" or the equivalent instead.

You can also make a copy of the fingerprints for comparison should you need to verify a connection from a new machine.

If you cannot import the file you need from there, read on:

Remember that shell.panix.com is more than one machine. If you set up a key for one host, logging into "shell" may give you a different host, in which case you'll get a warning that your host identification has changed. You can avoid that message if you set up your known_hosts file this way:

panix1.panix.com,166.84.1.1,shell.panix.com 1024 (panix1 key)
panix2.panix.com,166.84.1.2,shell.panix.com 1024 (panix2 key)
panix3.panix.com,166.84.1.3,shell.panix.com 1024 (panix3 key)

An easy way to do this is to remove any panix.com entries in known_hosts, then ssh to panix1, 2, and 3 (that is panix1.panix.com, etc.) then add

shell.panix.com

to each entry between the hostname and IP.

Meantime, if you connect to an unknown host, your client should provide you with a fingerprint for that host. You can verify the host by comparing the fingerprint you see with these.