[python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
Brett Cannon
brett at python.org
Fri Jan 23 14:50:25 CET 2015
More information about the python-committers mailing list
Fri Jan 23 14:50:25 CET 2015
- Previous message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Next message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected: remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg abort: no suitable response from remote hg! This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait? On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald at stufft.io> wrote: > Sending this to python-committers as well for anyone who doesn't keep up > with > python-dev. If you've gotten this message twice now I'm sorry! > > Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS > CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF > machine). The reason for this is that previously we allowed RSA, ECDSA, and > ED25519 host keys. However ECDSA relies on having an unbiased random number > generator on every connection and any bias in the random numbers can leak > the > private key. Since these are running on VMs where we don't know for sure > what > the quality is of the random numbers I've disabled the ECDSA host key. > > The impact of this is if you had previously connected to a PSF machine, and > your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll > see an error like: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that a host key has just been changed. > > The remediation is to remove the ECDSA for the PSF servers from your known > hosts and connect again and accept either the RSA or the ED25519 key when > it > presents it. > > The fingerprints for hg.python.org for both of those keys are: > > $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub > 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 > /etc/ssh/ssh_host_rsa_key.pub (RSA) > $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub > 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 > /etc/ssh/ssh_host_ed25519_key.pub (ED25519) > > Sorry for any inconvience this causes! > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > python-committers mailing list > python-committers at python.org > https://mail.python.org/mailman/listinfo/python-committers > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-committers/attachments/20150123/e65cb4ae/attachment.html>
- Previous message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Next message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the python-committers mailing list