When connecting (e.g. via ssh) to endeavour or discovery, we are asked to verify the host’s fingerprint. Example:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:DS3uH28N7dT0tl9BiyfQWC8U2PVCZSaHLWMqm5wLa0U.
Please contact your system administrator.
Is there a place where we can find the ground truth (e.g. a webpage where up to date fingerprints are published), are we supposed to skip this security check, or is there some other procedure?
If you see this message and are feeling suspicious or cautious, you can always send us a ticket to verify if this is expected.
Another method you may see is to authenticate using a “trusted” method and run this command to verify the fingerprint:
ssh-keygen -lf /etc/ssh/{keyname}.pub
If the fingerprints match, then it is safe to connect.
In our case, the “trusted” method can be our Open OnDemand shell. You can go to https://ondemand.carc.usc.edu and select Clusters → Discovery Cluster Shell Access
Since the message you have shared indicates an ED25519 key with the SHA256 hashing algorithm, you can run this command:
$ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
256 SHA256:DS3uH28N7dT0tl9BiyfQWC8U2PVCZSaHLWMqm5wLa0U no comment (ED25519)
This matches the host key from the ssh attempt so it is safe to connect.
I hope that helps. Let me know if you have any other questions.