c3b96 (c3b96) asked a question.
Hi I'm currently using Okta OPA (Okta Privileged Access)
I installed the server side ScaleFT server agent on my servers, which previously allowed me to SSH into my servers. However, I had to perform an upgrade for the servers' OpenSSH daemon because of vulnerabilities of the earlier versions.
After performing the upgrade, SSH access through the Okta ScaleFT client started failing due to host_key fingerprinting issues. It is unclear where the ScaleFT client obtains these Host keys, as they appear to be generated dynamically on my endpoint. I have attempted to uninstall and re-install the server-side ScaleFT agent, and various other measures, but to no avail. Has anybody else faced the same issue?
I understand that upgrading the OpenSSH changes the server's cryptographic fingerprinting, for the normal SSH, I can simply fingerprint the host again, but it is unsure how I can do that with the Okta's ScaleFT client.
Additionally, where can we see and access the Okta OPA list of host_keys and fingerprints so that we can change it?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (person-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ecdsa-sha2-nistp256 key sent by the remote host is
SHA256:vltoF6472Y5xGn4ZP1mTppsoMUIwCjFrRqV3+MyByq4.
Offending ecdsa-sha2-nistp256 key in path\to\ScaleFT\ssh_known_hosts\6573b81db35695594b9de02a535f424e8768dbc7:9
ssh: handshake failed: Hostkey rejected
Enter any key to exit?
Hello @c3b96 (c3b96) Thank you for posting on our Community page!
This could be that later OpenSSH implementations require higher strength algorithms and we allow users to specify the algorithm in the Settings in the Project in the Resource Group managing the servers.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Join the discussion for Ask Me Anything on February 4, 2025: Advancements in Okta’s On-Prem Directory Integrations
Hi @Paul S. (Okta, Inc.) thank you very much for your reply. Our SSH configuration was already set to ssh-ed25519. But I tried out the other weaker algorithms and sadly the same error appeared.
Nonetheless thank you very much for the suggestion.
@Mihai N. (Okta, Inc.) I would like to clarify and emphasize that Paul's solution DID NOT WORK or resolve the issue. Though I do appreciate the attempt. So please don't select the post as the best answer as it can be misleading to other users because it does not resolve the issue.
@c3b96 (c3b96) Acknowledged. Sorry for the misunderstanding.
@User15760676512259290463 (Tier 2 - US West) fixed the issue. When using an OpenSSH that is compiled manually, we need to modify /etc/ssh/sshd_config to point to the correct host keys.