[python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
Donald Stufft
donald at stufft.io
Fri Jan 23 16:34:20 CET 2015
More information about the python-committers mailing list
Fri Jan 23 16:34:20 CET 2015
- Previous message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Next message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Can you do ssh -v to that box and send me the output? > On Jan 23, 2015, at 8:50 AM, Brett Cannon <brett at python.org> wrote: > > I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected: > > remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg > > abort: no suitable response from remote hg! > > > > This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait? > > >> On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald at stufft.io> wrote: >> Sending this to python-committers as well for anyone who doesn't keep up with >> python-dev. If you've gotten this message twice now I'm sorry! >> >> Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS >> CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF >> machine). The reason for this is that previously we allowed RSA, ECDSA, and >> ED25519 host keys. However ECDSA relies on having an unbiased random number >> generator on every connection and any bias in the random numbers can leak the >> private key. Since these are running on VMs where we don't know for sure what >> the quality is of the random numbers I've disabled the ECDSA host key. >> >> The impact of this is if you had previously connected to a PSF machine, and >> your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll >> see an error like: >> >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >> It is also possible that a host key has just been changed. >> >> The remediation is to remove the ECDSA for the PSF servers from your known >> hosts and connect again and accept either the RSA or the ED25519 key when it >> presents it. >> >> The fingerprints for hg.python.org for both of those keys are: >> >> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub >> 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA) >> $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub >> 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519) >> >> Sorry for any inconvience this causes! >> >> --- >> Donald Stufft >> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> _______________________________________________ >> python-committers mailing list >> python-committers at python.org >> https://mail.python.org/mailman/listinfo/python-committers -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-committers/attachments/20150123/94047a9c/attachment.html>
- Previous message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Next message: [python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the python-committers mailing list