On Sun, Feb 26, 2012 at 2:31 PM, lkcl luke <[email protected]> wrote:
> On Sun, Feb 26, 2012 at 6:27 PM, Michael Yang <[email protected]> > wrote: > >> Yes, I believe so. I verified this by adding/removing my public key to > my > >> EC2 server's ~/.ssh/authorized_keys and then logging into it via SSH. > Then > > ok - unfortunately someone's been attacking pyjs.org so i couldn't > easily see the IP address ... right, you're logging in from ec2, > right? and you've attempted more than 5 times so you've now been > banned (i had to install denyhosts to get rid of the attacker). then > you logged in, it appears, from a *second* host (verizon.net) and did > it _again_! > sorry sometimes I forget my own password and even have to re-teach myself SSH public/private key settings. > don't do that again! :) > I will not, I didn't intend to set off an intrusion alarm or anything > if it doesn't work the first time, and nothing's changed, it ain't > gonna work the 2nd, 3rd, 4th, 5th or 6th time, is it? the only thing > that will achieve is to make you look like an attacker, setting off > the intrusion detection. > ok, got it > anyway. > > i've double-checked that the key's added to > /var/lib/gitolite/.ssh/authorized_keys - it's definitely there. so > you're doing something wrong. > I have a macbook @ verizon.net with my original public key. Maybe I'll just use that one to pull and test stuff. > now, i note that you logged in from two different hosts. that means > that you should have *two* sets of ssh public-key private-key pairs. > those keys should be DIFFERENT. you should NOT have copied the one > (identical) key-pair to another machine, ESPECIALLY over the internet > and DEFINITELY not to some random host run by an untrustable > "cuhluouuuuud" service ESPECIALLY one that's hosted in a country that > has such a poor human rights record (viz: the united states). This is sort of exactly what I did (I'm not a security expert). Some rationale: an Ubuntu server, which seems to be the main server that most of the code compiled correctly on pre-2012. Is easier to do git bisect flows than my mac which had that old AttributeError/path problem. I prefer to use my existing key from my EC2 instance just because it's easier on Ubuntu to test out things and review older code. It just makes sense to have that server used for patch submission. If I've touched upon a sensitive issue by using a US-based service, then I can just attach stuff on google code. I didn't mean to ruffle anyone's feathers, I'm sorry!
