What to do when SSH isn't working - Fixing your SSH known_hosts file

Quick summary (ssh experts only, everyone else read the next sections)

Download the correct known_hosts entries below (either ed25519 or RSA ) and add them to your known_hosts file. Make sure you delete any existing panix keys first!

Examples of SSH error/warning messages

First-time connections

Unless you first download our host keys (as explained below), the first time you connect to a Panix shell host, SSH will complain that it doesn't recognize our host key- which is correct behavior. You have to accept the key, though you should check the fingerprint provided against our list of fingerprints. (If they don't match, you're under attack!) However, it would be better to first install our keys, as explained below.

The ssh complaint will look like this:

The authenticity of host '[hostname] ([IP address])' can't be established.
ED25519 key fingerprint is [long string of characters, the fingerprint]
Are you sure you want to continue connecting (yes/no)? [here you type yes, and hit return]
Once you type yes (check the fingerprint first!!), it will respond:
Warning: Permanently added '[hostname,IP Address]' ([key type, typically ED25519]) to the list of known hosts.
Then you will be connected normally.

Step-by-step guide for Mac, Linux/Unix, and Windows

Mac and Linux/Unix - replace your key file entirely

If you only use SSH to connect to Panix, and no other servers, this is the easiest way to install your host keys. Simply open a new Terminal window, and type (or paste) in the following:
mkdir .ssh
curl https://config.panix.com/vault/sshdata/ssh.ed25519 >.ssh/known_hosts
The first line will produce an error, if you've already used ssh on that machine before. You can ignore it.

Some Linuxes and Unixes may need curl to be installed first. Alternatively, you can use a web browser to download that file, and then use "mv" to move it into place.

Some Macs running older versions of MacOS will give an error message when using "curl". If it complains about an "SSL certificate problem", then use the command "curl -k" instead of "curl".

Mac and Linux/Unix - alter an existing known_hosts file

Open a new Terminal window, and type/paste in the following commands, one line at a time:

cd .ssh
mv known_hosts known_hosts.temp
grep -v panix <known_hosts.temp >known_hosts
curl https://config.panix.com/vault/sshdata/ssh.ed25519 >>known_hosts
rm known_hosts.temp
This takes your existing host keys file, removes any previously obtained panix keys from it, and then adds in all the keys provided by Panix.

Some Linuxes and Unixes may need curl to be installed first. Alternatively, you can use a web browser to download that file, and then use "cat filename >>known_hosts" to append it to the known_hosts file.

Some Macs running older versions of MacOS will give an error message when using "curl". If it complains about an "SSL certificate problem", then use the command "curl -k" instead of "curl".

Windows 10 and 11 - replace your key file entirely

If you only use SSH to connect to Panix, and no other servers, this is the easiest way to install your host keys. Simply open a new command (CLI) window, and type (or paste) in the following, one line at a time:

mkdir .ssh
curl https://config.panix.com/vault/sshdata/ssh.ed25519 >.ssh/known_hosts
The first line will produce an error, if you've already used ssh on that machine before. You can ignore it.

Some early versions of Windows 10 that were never updated won't have curl installed; for those, see below.

Windows 10 and 11 - alter an existing known_hosts file

Open a new command (CLI) window, and type/paste in the following commands, one line at a time:

cd .ssh
move known_hosts known_hosts.temp
findstr /v panix <known_hosts.temp >known_hosts
curl https://config.panix.com/vault/sshdata/ssh.ed25519 >>known_hosts
del known_hosts.temp
This takes your existing host keys file, removes any previously obtained panix keys from it, and then adds in all the keys provided by Panix.

Some early versions of Windows 10 that were never updated won't have curl installed; for those, see below.

Older versions of Windows

For older versions of Windows, which don't come with "curl", you can attempt to install curl first (search the web for instructions), or else use your browser to download our keys.

A warning about copy/pasting host keys

Many host keys take up more than one screen line of space, but they're just one logical line of text - that is, there are NO embedded newlines or carriage-return characters. Many terminal programs will get that wrong if you copy and paste individual keys, leaving your host keys broken. In that case, make sure to get rid of the extra returns/newlines.



Last Modified:Tuesday, 21-Jun-2022 01:58:51 EDT
© Copyright 2006-2021 Public Access Networks Corporation