PSA: ssh connection issues on main campus

VPN
1

TL;DR: If you are the sort of person who needs to be using ssh to connect to things, DO NOT do it from academic campus when using PAL3.0.

For the more technical of you: PAL3.0 on academic campus is causing ssh clients to throw out possible Man-In-The-Middle attack warnings when trying to connect to anything (including machines that are not on campus). If ssh fails for you with a big scary error message like the one included at the bottom of this post, DO NOT try to remove the offending host key or attempt any other local remedy.

A friend and I went around academic campus for an hour tonight (27 March) and found this problem on every single wireless access point we tried, using 4 different ssh clients, trying to connect to 5 different servers (Purdue-based and otherwise). We did not test every single building, but found the error on all access points in at least the following subset of buildings: HAAS, MATH, CL50, WALC, EE, MSEE, PHYS.

In terms of dorms: Cary East and West seem to remain unaffected (we haven’t tested anything else), and we’re guessing that that applies to all of the dorms.

Sample error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
5c:9b:16:56:a6:cd:11:10:3a:cd:1b:a2:91:cd:e5:1c.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for ras.mydomain.com has changed and you have requested strict checking.
Host key verification failed.
2

If Purdue is intercepting SSL traffic and doing a man in the middle, somebody needs to be fired.

3

I’m going to be optimistic and apply Hanlon’s Razor here.

Never attribute to malice that which is adequately explained by stupidity.

4

Update: APs in PHYS, MSEE, and EE all seem to be behaving normally now. This probably means that everywhere else is fine, but just be careful when connecting.

5

So you’re saying deleting known hosts was a bad idea?

6

I’ll say it again, it’s really time people start thinking about using a VPN on PAL 3.0… If not to just bypass the filters, for your own safety and peace of mind.

7

u/lbkulinski, thoughts?

8

I added the new host key today when connecting to my research team’s client, uh oh

9

Should be resolved now.

10

There are 2 real situations I am considering here

  1. ITAP is actively intercepting ssh connections as a test or as a mistake or something
  2. ITAP allowed someone to perform a MitM for about 18 hours without stopping it.

Either way, heads should roll.

11

This doesn’t mean you shouldn’t continue to submit tickets.
They will move more quickly based on the number of tickets.

12

Russiackers.

^(Bleep-bloop, I’m a bot. This )[1](Blend word - Wikipedia) ^( was created from the phrase ‘Russian hackers?’ | )[2](https://www.reddit.com/axl72o) ^(|) [3](https://www.reddit.com/message/compose?to=jamcowl&subject=PORTMANTEAU-BOT+feedback) ^(|) [4](https://www.reddit.com/message/compose?to=PORTMANTEAU-BOT&subject=OPTOUTREQUEST)

  1. portmanteau ↩︎

  2. FAQs ↩︎

  3. Feedback ↩︎

  4. Opt-out ↩︎

13

Yes. At this point I would strongly recommend against using ssh until the issue is confirmed to be fixed. If you really need to log in, find a machine with Ethernet, or something equivalent (I intend to carry an Ethernet cable with me today).

14

Purdue VPN bypasses academic filters?

15

Please tell me to use PAL3.0 they’re not having you install a “cert” to use it.

As in, they’re decrypting SSL traffic for everyone.

16

Just use machines with Ethernet if at all possible until it’s confirmed that the problem has been fixed.

17
18

That’s not what I’m saying. You should get a third party VPN that encrypts all of your data. See here for details on how they work: What Is a VPN? Why You Need PIA VPN in 2025

Basically it hides your IP and encrypts all of your data. So Purdue won’t be able to execute man in the middle attacks on your data, and they won’t be able to filter websites like netflix, spotify, etc.

If it’s true that Purdue is using MITM attacks to sniff out packets, then people should be concerned about their privacy. Using a VPN can protect you from that.

The Purdue VPN just allows you to remote into the Purdue network.

19

Logan ur god for us !

20

As a current ITaP staff member, I can confirm that executive staff are watching ticket counts and putting pressure on the middle managers to handle problems and incidents much faster than under the previous CIO.