Looks like my id_rsa key is not being tried soon enough for the two-attempt threshold as the key that GitHub for Mac installed and my work key are being tried first (I tried specifying my id_rsa key with -i but that didn't seem to change anything):
*> *ssh -v 104.130.43.97 OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 58: Applying options for *.* debug1: /etc/ssh_config line 68: Applying options for * debug1: /etc/ssh_config line 107: Deprecated option "globalknownhostsfile2" debug1: Connecting to 104.130.43.97 [104.130.43.97] port 22. debug1: Connection established. debug1: could not open key file '/etc/ssh_host_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: identity file /Users/bcannon/.ssh/identity type -1 debug1: identity file /Users/bcannon/.ssh/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_rsa type 1 debug1: identity file /Users/bcannon/.ssh/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000 debug1: Miscellaneous failure (see text) No credentials cache file found debug1: An invalid name was supplied unknown mech-code 0 for mech 1 2 752 43 14 2 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 5 14 debug1: Miscellaneous failure (see text) unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10 debug1: An unsupported mechanism was requested unknown mech-code 0 for mech 1 3 5 1 5 2 7 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 2 5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 debug1: Host '104.130.43.97' is known and matches the ED25519 host key. debug1: Found key in /Users/bcannon/.ssh/known_hosts:24 debug1: ssh_ed25519_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/bcannon/.ssh/github_rsa debug1: Authentications that can continue: publickey debug1: Offering ECDSA public key: corp/normal Received disconnect from 104.130.43.97: 2: Too many authentication failures for bcannon On Fri Jan 23 2015 at 10:34:25 AM Donald Stufft <[email protected]> wrote: > Can you do ssh -v to that box and send me the output? > > > On Jan 23, 2015, at 8:50 AM, Brett Cannon <[email protected]> wrote: > > I tried updating my checkout this morning and then I was given the > warning. So I deleted the key from my known_hosts file, accepted the new > one, but now I just keep getting my connection rejected: > > remote: Received disconnect from 104.130.43.97: 2: Too many > authentication failures for hg > > abort: no suitable response from remote hg! > > > This this rejection going to timeout so I can eventually connect, and if > so how long do I need to wait? > > On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <[email protected]> wrote: > >> Sending this to python-committers as well for anyone who doesn't keep up >> with >> python-dev. If you've gotten this message twice now I'm sorry! >> >> Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS >> CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF >> machine). The reason for this is that previously we allowed RSA, ECDSA, >> and >> ED25519 host keys. However ECDSA relies on having an unbiased random >> number >> generator on every connection and any bias in the random numbers can leak >> the >> private key. Since these are running on VMs where we don't know for sure >> what >> the quality is of the random numbers I've disabled the ECDSA host key. >> >> The impact of this is if you had previously connected to a PSF machine, >> and >> your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll >> see an error like: >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle >> attack)! >> It is also possible that a host key has just been changed. >> >> The remediation is to remove the ECDSA for the PSF servers from your known >> hosts and connect again and accept either the RSA or the ED25519 key when >> it >> presents it. >> >> The fingerprints for hg.python.org for both of those keys are: >> >> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub >> 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 >> /etc/ssh/ssh_host_rsa_key.pub (RSA) >> $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub >> 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 >> /etc/ssh/ssh_host_ed25519_key.pub (ED25519) >> >> Sorry for any inconvience this causes! >> >> --- >> Donald Stufft >> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> _______________________________________________ >> python-committers mailing list >> [email protected] >> https://mail.python.org/mailman/listinfo/python-committers >> >
_______________________________________________ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers
