Well if a MITM attacker tries to use your ssh access to do anything nasty,
another developer will probably notice quite quickly.
(the only "nasty thing" the ssh access allows you to do is "hg push",
IIRC; still, that can trigger code execution on the buildbots)
Sure, but it would be better to
On 3/26/2013 8:39 AM, Roger Serwy wrote:
>
>> Well if a MITM attacker tries to use your ssh access to do anything
>> nasty,
>> another developer will probably notice quite quickly.
>> (the only "nasty thing" the ssh access allows you to do is "hg push",
>> IIRC; still, that can trigger code execut
>> Can someone log into hg.python.org and get the public keys for the
>> server?
>
> Not me. But from my hosts, I get:
> RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01.
Well I'm not sure how logging in would be an improvement, since the person
logging in could also be the
Also, what is the command to use on the server to get the public key
fingerprint?
Run "ssh-keygen -lf /path/to/public/key.pub" for the RSA, DSA, and ECDSA
keys.
___
python-committers mailing list
python-committers@python.org
http://mail.python.or
Le mardi 26 mars 2013 à 09:03 -0500, Roger Serwy a écrit :
> >
> > Also, what is the command to use on the server to get the public key
> > fingerprint?
> >
> >
> Run "ssh-keygen -lf /path/to/public/key.pub" for the RSA, DSA, and ECDSA
> keys.
$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
256 63:7
Am 26.03.13 13:56, schrieb Eric V. Smith:
> I completely agree. "We'll notice the damage" is not a great reason to
> avoid publishing the fingerprints.
IMO, the proper way is to publish SSHFP records in DNS. Unfortunately,
DynECT currently does not support RFC 6594.
Regards,
Martin
_
Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit :
> Am 26.03.13 14:57, schrieb Antoine Pitrou:
> > Well I'm not sure how logging in would be an improvement, since the person
> > logging in could also be the victim of a MITM attack ;)
>
> In addition, the email you sent might be subj
Am 26.03.13 14:57, schrieb Antoine Pitrou:
> Well I'm not sure how logging in would be an improvement, since the person
> logging in could also be the victim of a MITM attack ;)
In addition, the email you sent might be subject to MITM, either when
you were submitting it, or when it was transmitted
On 26/03/2013 20:40, Antoine Pitrou wrote:
Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit :
Am 26.03.13 14:57, schrieb Antoine Pitrou:
Well I'm not sure how logging in would be an improvement, since the person
logging in could also be the victim of a MITM attack ;)
In addition
Am 25.03.13 17:34, schrieb Antoine Pitrou:
>
>>> We have new contributors (who don't have a pre-existing key) use RSA:
>>> http://docs.python.org/devguide/faq.html#id1 .
>>
>> I was trying to avoid a man-in-the-middle attack by verifying the
>> server's key fingerprint. Those server fingerprints s
In addition, the email you sent might be subject to MITM, either when
you were submitting it, or when it was transmitted from python.org to
Roger's SMTP server. So you really need to PGP sign it :-)
And hope that I have Antoine's correct public PGP key... And down the
rabbit hole we go.
Tha
11 matches
Mail list logo
