Holger Levsen <hol...@layer-acht.org> writes: > FTWwonder why alioth seems to be hacked now... ... > this mail forwarding is inspired by two different mails wondering why the > "alioth" ssh host keys have changed
Holger, Thanks for forwarding this mail. I'm rather late to the game and only now discovered the change in ssh keys when "git clone" complained at me[1]. > ---------- Forwarded Message ---------- > Betreff: alioth back online > Datum: Donnerstag, 21. November 2013 > Von: Stephen Gran <sg...@debian.org> > An: Debian Infrastructure Announce <debian-infrastructure- > annou...@lists.debian.org> ... > ยท Update your SSH known keys. You can find all debian.org ssh hostkeys > at [1] or on any debian.org system in /etc/ssh/ssh_known_hosts. Or > you could just use the fingerprints in DNS (secured by DNSSEC). ... > [1] https://db.debian.org/debian_known_hosts Stephen, I had a bit of a difficult time tracking down the fact that the new key was valid. What would have made this much easier for me would have been if the fingerprint of the new key had been included in a signed message sent to debian-devel-announce@. It looks like that's exactly what you did with a previous ssh-key change back in 2011[2]. An email like that would have been perfect since then, when ssh presented me with the new fingerprint, I could have simply searched my email, found your message advising of the key change, and been on my way. Without this, I did have to do a bit of poking around before someone pointed me to Holger's message in my personal email archive. Additionally, I'd like to have the added trust of our system of signed keys in addition to the SSL CA system (in which I have very little trust) and DNSSEC (which I don't even know how to use, nor if I should trust it any more than https:). I did try to verify the new key by checking the /etc/ssh/ssh_known_keys file on a machine for which I did have a valid key. But it looks like that file is stale on at least the machine I checked (wagner.debian.org). I'm filing a bug for that now. For the sake of anyone else that might ever search their email for the new fingerprint, here it is: moszumanska:~$ ssh-keygen -l -f /etc/ssh/ssh_known_hosts -F git.debian.org 2048 d7:0b:26:5c:7a:5d:56:40:a9:e0:5d:f4:e1:70:88:bf git.debian.org (RSA) Thanks for everything, -Carl -- carl.d.wo...@intel.com [1] Yes, I'm a bad Debian Developer and should be using Debian's services more often. [2] id:20110522102745.ga27...@varinia.lobefin.net https://lists.debian.org/debian-devel-announce/2011/05/msg00007.html see also: id:20110522105217.gb27...@varinia.lobefin.net https://lists.debian.org/debian-devel-announce/2011/05/msg00008.html
pgp7F5_g1lo_c.pgp
Description: PGP signature
