On 11/14/2013 06:45 PM, Clint Adams wrote: > Package: monkeysphere > Version: 0.36-1 > > Revoked ssh://lair.fifthhorseman.net in keyring, new key not; it may > have been alleged that this is a bug: > > % ssh lair.fifthhorseman.net > -------------------- Monkeysphere warning ------------------- > Monkeysphere found OpenPGP keys for this hostname, but none had full validity. > None of the found keys matched the key offered by the host. > Keys found with less than marginal validity: 1 > Run the following command for more info about the found keys: > gpg --check-sigs --list-options show-uid-validity > =ssh://lair.fifthhorseman.net > -------------------- ssh continues below -------------------- > The authenticity of host 'lair.fifthhorseman.net (<no hostip for proxy > command>)' can't be established. > ECDSA key fingerprint is 4a:f9:aa:ec:d8:de:a5:1d:06:8e:f3:36:98:87:99:e7. > Are you sure you want to continue connecting (yes/no)? no > Host key verification failed.
For future clarity: there might be two bugs here:
0) the ssh proxycommand should recognize that the local keyring's key
for the remote host is expired/revoked, and gone out to fetch a new one
from the keyservers on its own. (this is what i think Clint is directly
reporting)
1) the ECDSA mismatch -- monkeysphere's only working with RSA keys
guarantees that servers offering ECDSA keys won't work properly with the
marginal UI, because the fingerprint they offer (of the host's RSA keys)
doesn't match the fingerprint of the host's ECDSA key.
--dkg
signature.asc
Description: OpenPGP digital signature
