Re: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected: remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg abort: no suitable response from remote hg! This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait? On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft wrote: > Sending this to python-committers as well for anyone who doesn't keep up > with > python-dev. If you've gotten this message twice now I'm sorry! > > Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS > CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF > machine). The reason for this is that previously we allowed RSA, ECDSA, and > ED25519 host keys. However ECDSA relies on having an unbiased random number > generator on every connection and any bias in the random numbers can leak > the > private key. Since these are running on VMs where we don't know for sure > what > the quality is of the random numbers I've disabled the ECDSA host key. > > The impact of this is if you had previously connected to a PSF machine, and > your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll > see an error like: > >@@@ >@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >@@@ >IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >Someone could be eavesdropping on you right now (man-in-the-middle > attack)! >It is also possible that a host key has just been changed. > > The remediation is to remove the ECDSA for the PSF servers from your known > hosts and connect again and accept either the RSA or the ED25519 key when > it > presents it. > > The fingerprints for hg.python.org for both of those keys are: > > $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub > 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 > /etc/ssh/ssh_host_rsa_key.pub (RSA) > $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 > /etc/ssh/ssh_host_ed25519_key.pub (ED25519) > > Sorry for any inconvience this causes! > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ___ > python-committers mailing list > [email protected] > https://mail.python.org/mailman/listinfo/python-committers > ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
Can you do ssh -v to that box and send me the output? > On Jan 23, 2015, at 8:50 AM, Brett Cannon wrote: > > I tried updating my checkout this morning and then I was given the warning. > So I deleted the key from my known_hosts file, accepted the new one, but now > I just keep getting my connection rejected: > > remote: Received disconnect from 104.130.43.97: 2: Too many authentication > failures for hg > > abort: no suitable response from remote hg! > > > > This this rejection going to timeout so I can eventually connect, and if so > how long do I need to wait? > > >> On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft wrote: >> Sending this to python-committers as well for anyone who doesn't keep up with >> python-dev. If you've gotten this message twice now I'm sorry! >> >> Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS >> CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF >> machine). The reason for this is that previously we allowed RSA, ECDSA, and >> ED25519 host keys. However ECDSA relies on having an unbiased random number >> generator on every connection and any bias in the random numbers can leak the >> private key. Since these are running on VMs where we don't know for sure what >> the quality is of the random numbers I've disabled the ECDSA host key. >> >> The impact of this is if you had previously connected to a PSF machine, and >> your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll >> see an error like: >> >>@@@ >>@WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >>@@@ >>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >>Someone could be eavesdropping on you right now (man-in-the-middle >> attack)! >>It is also possible that a host key has just been changed. >> >> The remediation is to remove the ECDSA for the PSF servers from your known >> hosts and connect again and accept either the RSA or the ED25519 key when it >> presents it. >> >> The fingerprints for hg.python.org for both of those keys are: >> >> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub >> 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 >> /etc/ssh/ssh_host_rsa_key.pub (RSA) >> $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub >> 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 >> /etc/ssh/ssh_host_ed25519_key.pub (ED25519) >> >> Sorry for any inconvience this causes! >> >> --- >> Donald Stufft >> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> ___ >> python-committers mailing list >> [email protected] >> https://mail.python.org/mailman/listinfo/python-committers ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
Looks like my id_rsa key is not being tried soon enough for the two-attempt threshold as the key that GitHub for Mac installed and my work key are being tried first (I tried specifying my id_rsa key with -i but that didn't seem to change anything): *> *ssh -v 104.130.43.97 OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 58: Applying options for *.* debug1: /etc/ssh_config line 68: Applying options for * debug1: /etc/ssh_config line 107: Deprecated option "globalknownhostsfile2" debug1: Connecting to 104.130.43.97 [104.130.43.97] port 22. debug1: Connection established. debug1: could not open key file '/etc/ssh_host_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: identity file /Users/bcannon/.ssh/identity type -1 debug1: identity file /Users/bcannon/.ssh/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_rsa type 1 debug1: identity file /Users/bcannon/.ssh/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x0400 debug1: Miscellaneous failure (see text) No credentials cache file found debug1: An invalid name was supplied unknown mech-code 0 for mech 1 2 752 43 14 2 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 5 14 debug1: Miscellaneous failure (see text) unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10 debug1: An unsupported mechanism was requested unknown mech-code 0 for mech 1 3 5 1 5 2 7 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 2 5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 debug1: Host '104.130.43.97' is known and matches the ED25519 host key. debug1: Found key in /Users/bcannon/.ssh/known_hosts:24 debug1: ssh_ed25519_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/bcannon/.ssh/github_rsa debug1: Authentications that can continue: publickey debug1: Offering ECDSA public key: corp/normal Received disconnect from 104.130.43.97: 2: Too many authentication failures for bcannon On Fri Jan 23 2015 at 10:34:25 AM Donald Stufft wrote: > Can you do ssh -v to that box and send me the output? > > > On Jan 23, 2015, at 8:50 AM, Brett Cannon wrote: > > I tried updating my checkout this morning and then I was given the > warning. So I deleted the key from my known_hosts file, accepted the new > one, but now I just keep getting my connection rejected: > > remote: Received disconn
Re: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
On Jan 23, 2015, at 04:16 PM, Brett Cannon wrote: >Looks like my id_rsa key is not being tried soon enough for the two-attempt >threshold as the key that GitHub for Mac installed and my work key are >being tried first (I tried specifying my id_rsa key with -i but that didn't >seem to change anything): I get this all the time when I add my Debian ssh key to ssh-agent and then try to connect to hosts on my LAN (which use a different key). I think this is a limitation of ssh-agent and if you search the web, you'll find various solutions, which I've used to varying degrees of success. Basically you want to force ssh not to use the agent when connecting to the site (I haven't yet tried hg.python.org with multiple keys). E.g. in your ~/.ssh/config file: Host hg.python.org IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes HTH, -Barry ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
That did it! Thanks, Barry. On Fri Jan 23 2015 at 1:20:40 PM Barry Warsaw wrote: > On Jan 23, 2015, at 04:16 PM, Brett Cannon wrote: > > >Looks like my id_rsa key is not being tried soon enough for the > two-attempt > >threshold as the key that GitHub for Mac installed and my work key are > >being tried first (I tried specifying my id_rsa key with -i but that > didn't > >seem to change anything): > > I get this all the time when I add my Debian ssh key to ssh-agent and then > try > to connect to hosts on my LAN (which use a different key). I think this > is a > limitation of ssh-agent and if you search the web, you'll find various > solutions, which I've used to varying degrees of success. > > Basically you want to force ssh not to use the agent when connecting to the > site (I haven't yet tried hg.python.org with multiple keys). E.g. in your > ~/.ssh/config file: > > Host hg.python.org > IdentityFile ~/.ssh/id_rsa > IdentitiesOnly yes > > HTH, > -Barry > ___ > python-committers mailing list > [email protected] > https://mail.python.org/mailman/listinfo/python-committers > ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers
