On Tuesday, 08.03.2022, we will roll out a new SSH server configuration and provide new SSH host keys. Expect a warning when you try to connect to your instance via SSH after our upgrade and replace the old key in your known_hosts file with the new fingerprint.

Crypto is evolving

Security is an ongoing process and requires continuous adaption. As new weaknesses are discovered and new algorithms are being developed, configuration must be adjusted and cryptographic keys be replaced.

Even though there may be better algorithms, you can't always remove all older ones, because not all servers and clients support them yet. In fact, you need to consider not only ciphers host keys, but also ciphers, compression formats, key exchange protocols (KEX), message authentication codes (MACs) and more.

Screenshot of a compatibility chart

Screenshot of a compatibility chart from ssh-comparison.quendi.de

We recently upgraded our Docker base image and all derived images to a new Debian version. And with that, comes a new version of OpenSSH and further improvements. We take this as an opportunity to upgrade our configuration and host keys.

More concretely, we will drop support for a few algorithms, which are considered weak and which likely can be decrypted by the NSA. In particular there are some curve choices of the key exchange protocols which cannot be trusted anymore. And we take the chance to generate new host keys with a higher bit length.

There are two host keys

SSH access in Beach is a bit special: You don't connect to your Beach instance via SSH directly, but first connect to a gateway (a "jump host") which then allows you to connect to a second SSH server routed through an internal network.

We will change the SSH host key of the jump host (for most customers that is ssh.flownative.cloud) and the SSH host keys of every individual Beach instance.

Therefore, if you connect to your Beach instance via SSH the next time, your client will warn you about a changed fingerprint for ssh.flownative.cloud and for your instance. Accept these changes by either removing the key manually from your ~/.ssh/known_hosts file, or by running the following commands:

# Remove known fingerprint for the gatway:
ssh-keygen -R ssh.flownative.cloud

# Remove known fingerprint for your instance
ssh-keygen -R instance-abc123456-abc-….beach-project-abc12345-1234…

Then connect to your instance and accept the two new host keys.

When you connect to another instance you own, there will be only one warning due to a different host key of that particular instance. There won't be another offending key for the gateway, because that will be the same.

Changes are rolled out over time

New host keys are being generated on March 8th 2022 in the morning (CET) and will take effect step by step during the day.

If you have any questions or concerns, please get in touch with Flownative support via https://support.flownative.com.