Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS
CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF
machine). The reason for this is that previously we allowed RSA, ECDSA, and
ED25519 host keys. However ECDSA relies on having an unbiased random number
generator on every connection and any bias in the random numbers can leak the
private key. Since these are running on VMs where we don't know for sure what
the quality is of the random numbers I've disabled the ECDSA host key.
The impact of this is if you had previously connected to a PSF machine, and
your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll
see an error like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The remediation is to remove the ECDSA for the PSF servers from your known
hosts and connect again and accept either the RSA or the ED25519 key when it
presents it.
The fingerprints for hg.python.org for both of those keys are:
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8
/etc/ssh/ssh_host_rsa_key.pub (RSA)
$ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74
/etc/ssh/ssh_host_ed25519_key.pub (ED25519)
Sorry for any inconvience this causes!
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
