[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] SSH host key changed?
From: |
Simon Josefsson |
Subject: |
Re: [Savannah-hackers] SSH host key changed? |
Date: |
Tue, 05 Aug 2003 17:25:55 +0200 |
User-agent: |
Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3.50 (gnu/linux) |
Never mind, I didn't read the comments to the savannah announcement
where this was discussed.
Still, the issue with unsigned announcements still exist...
Simon Josefsson <address@hidden> writes:
> "Jaime E. Villate" <address@hidden> writes:
>
>> On Sun, Aug 03, 2003 at 10:43:21PM +0200, Simon Josefsson wrote:
>>> If the SSH host key has really changed, I think it would be good to
>>> announce it somewhere. Is there a PGP signed announcement channel
>>> from the savannah system hackers? I think there should be one.
>>>
>>> FWIW, the ssh host key appear to have changed from my point of view
>>> within the latest 24 hours.
>> Yes. I was trying a newer version of ssh and when I downgraded to the
>> original
>> version, a new key was generated. Sorry about it. We'll try to post an
>> announcemnt.
>
> I noticed the announcement (thanks), but the key has changed again?!
> The key below doesn't match the one in the announcement.
>
> Also, the announcements aren't signed. If someone is able to attack
> savannah in a way that modify RSA host keys, they most likely can add
> a unsigned announcement to unprotected HTTP that say the SSH host key
> has changed...
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA1 host key has just been changed.
> The fingerprint for the RSA1 key sent by the remote host is
> 66:f4:9a:7e:e3:a8:c5:16:d1:88:aa:ef:3e:06:75:30.
> Please contact your system administrator.
> Add correct host key in /home/jas/.ssh/known_hosts to get rid of this message.
> Offending key in /home/jas/.ssh/known_hosts:64
> RSA1 host key for subversions.gnu.org has changed and you have requested
> strict checking.
> Host key verification failed.
> cvs [update aborted]: end of file from server (consult above messages if any)