As part of this, SSH DSA keys were no longer being accepted by the server. However, there is no easy way for most non-MoCo contributors to change their SSH keys, whereas MoCo users and communitiy members with LDAP accounts can (and should!) use login.mozilla.com to update their keys. So a bunch of folks have been locked out with little recourse.
I've re-enabled the use of DSA keys on hg.mozilla.org, and we will follow up in the next day or two with a plan for final retirement of DSA key access. We're hoping to enable the DSA key blocking again in a week or two, so if you can self-serve please do so. K. On Mon, Apr 4, 2016 at 11:52 AM, Gregory Szorc <g...@mozilla.com> wrote: > We also changed the SSH server config to only support the "modern" set of > ciphers, MACs, algorithms, etc from > https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are > running an old SSH client, it may not be able to connect. > > If you encounter problems connecting, complain in #vcs with a link to > pastebinned `ssh -v` output so we can see what your client supports so we > may consider adding legacy support on the server as a stop-gap. But > upgrading your SSH client to something that supports modern crypto is > highly preferred. More and more Mozilla systems will be adopting these > "modern" SSH server settings. So you'll have to upgrade sometime. > > On Mon, Apr 4, 2016 at 8:36 AM, Gregory Szorc <g...@mozilla.com> wrote: > > > This change was just made (we delayed because we didn't want to take > > extra risks on a Friday afternoon). > > > > A GPG signed document detailing the current keys is available at > > > > > https://hg.mozilla.org/hgcustom/version-control-tools/raw-file/tip/docs/vcs-server-info.asc > > > > On 3/31/16 2:39 PM, Gregory Szorc wrote: > > > This message serves as a notice that the *SSH host keys* for > > > hg.mozilla.org will be rotated in the next ~24 hours. > > > > > > When connecting to hg.mozilla.org over SSH, your SSH client should > warn > > > that host keys have changed and refuse to connect until > > > accepting/trusting the new host key. After 1st host key verification > > > failure: > > > > > > 1) `ssh-keygen -R hg.mozilla.org` to remove the old host key > > > 2) `ssh hg.mozilla.org` and verify the fingerprint of the new key > > > matches one of the following: > > > > > > 256 SHA256:7MBAdqLe8+aSYkv+5/2LUUxd+WdgYcVSV+ZQVEKA7jA hg.mozilla.org > > > (ED25519) > > > 256 SHA1:Ft++OU96cvaREKNFCJ6AiuCpGac hg.mozilla.org (ED25519) > > > 256 MD5:96:eb:3b:78:f5:ca:19:e2:0c:a0:95:ea:04:28:7d:26 hg.mozilla.org > > > (ED25519) > > > > > > 4096 SHA256:RX2OK8A1KNWdxyu6ibIPeEGLBzc5vyQW/wd7RKjBehc hg.mozilla.org > > (RSA) > > > 4096 SHA1:p2MGe4wSw8ZnQ5J9ShBk/6VA+Co hg.mozilla.org (RSA) > > > 4096 MD5:1c:f9:cf:76:de:b8:46:d6:5a:a3:00:8d:3b:0c:53:77 > hg.mozilla.org > > > (RSA) > > > > > > Q: What host key types were changed? We dropped the DSA host key and > > > added a ED25519 host key. The length of the RSA key has been increased > > > from 2048 to 4096 bits. > > > > > > Q: Does this impact connections to https://hg.mozilla.org/? No. The > x509 > > > certificate to the https:// endpoint is remaining unchanged at this > > time. > > > > > > Q: Why is this being done? We are modernizing the server infrastructure > > > of hg.mozilla.org. As part of this, we're bringing the hosts in > > > compliance with Mozilla's SSH security guidelines > > > (https://wiki.mozilla.org/Security/Guidelines/OpenSSH). > > > > > > > > _______________________________________________ > dev-version-control mailing list > dev-version-cont...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-version-control > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
