savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] SSH host key changed?

From: Simon Josefsson
Subject: Re: [Savannah-hackers] SSH host key changed?
Date: Tue, 05 Aug 2003 17:25:55 +0200
User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3.50 (gnu/linux) 
Never mind, I didn't read the comments to the savannah announcement
where this was discussed.

Still, the issue with unsigned announcements still exist...

Simon Josefsson <address@hidden> writes:

> "Jaime E. Villate" <address@hidden> writes:
>
>> On Sun, Aug 03, 2003 at 10:43:21PM +0200, Simon Josefsson wrote:
>>> If the SSH host key has really changed, I think it would be good to
>>> announce it somewhere.  Is there a PGP signed announcement channel
>>> from the savannah system hackers?  I think there should be one.
>>> 
>>> FWIW, the ssh host key appear to have changed from my point of view
>>> within the latest 24 hours.
>> Yes. I was trying a newer version of ssh and when I downgraded to the 
>> original
>> version, a new key was generated. Sorry about it. We'll try to post an
>> announcemnt.
>
> I noticed the announcement (thanks), but the key has changed again?!
> The key below doesn't match the one in the announcement.
>
> Also, the announcements aren't signed.  If someone is able to attack
> savannah in a way that modify RSA host keys, they most likely can add
> a unsigned announcement to unprotected HTTP that say the SSH host key
> has changed...
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA1 host key has just been changed.
> The fingerprint for the RSA1 key sent by the remote host is
> 66:f4:9a:7e:e3:a8:c5:16:d1:88:aa:ef:3e:06:75:30.
> Please contact your system administrator.
> Add correct host key in /home/jas/.ssh/known_hosts to get rid of this message.
> Offending key in /home/jas/.ssh/known_hosts:64
> RSA1 host key for subversions.gnu.org has changed and you have requested 
> strict checking.
> Host key verification failed.
> cvs [update aborted]: end of file from server (consult above messages if any)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]