SSH Host Identification Changes on One Wireless Network – How to Fix

access-pointnetworkingSecurityssh

I regularly connect via SSH to a remote server, from an Ubuntu system, on the default port 22.
Let's call the server example.org.
I am sure that this server is configured properly, and I have confirmed that the following issue is independent from my OS and persists across re-installs.

There is one particular Wifi access point where, if I connect to the server (ssh example.org), I get this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:[REDACTED].
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R "serv.org"
ED25519 host key for serv.org has changed and you have requested strict checking.
Host key verification failed.

The problematic access point belongs to an academic institution, and seems to be more locked-down than commercial ISP networks (for example I can't download torrents on it). If I go back to another network (say, using my phone as an access point), I can connect again.

According to Wireshark:

  • The DNS query (to 8.8.8.8) for example.org returns the same IP address, even on the problematic access point.
  • The SSH key exchange seems to happen as usual, but the key sent by the server in the "ECDH Key Exchange Reply" indeed has a different fingerprint when I am connecting through the problematic AP.

I don't understand what this network is doing.
Blocking port 22 would be one thing, but here I seem to reach the server and get a wrong key as a response.

Could this access point be intentionally tampering with the SSH connection?
Is there a way for me to securely use SSH over it despite this?
Should I just avoid using it?

Best Answer

Either this systems host keys are changing or someone/something is MITM'ing the SSH connection.

The appropriate course of action is to consider that host as compromised (although its likely not the host itself, rather the connection) unless/until you have an explanation.

You may want to reach out to the system administrator of that AP and advise them of your concerns and try and track this down with them.

Related Topic