Hi All,
What should be the ssh fingerprint be for hg.python.org? I am receiving 63:75:9b:14:b7:b2:dc:e7:cd:42:d7:19:48:6a:68:8e, but I can't verify if it's correct.
Thank you, Roger
On Mar 24, 2013, at 21:02 , Roger Serwy <roger.serwy@gmail.com> wrote:
What should be the ssh fingerprint be for hg.python.org? I am receiving 63:75:9b:14:b7:b2:dc:e7:cd:42:d7:19:48:6a:68:8e, but I can't verify if it's correct.
I currently get:
The authenticity of host 'hg.python.org (140.211.10.72)' can't be established. RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01.
$ host 140.211.10.72 72.10.211.140.in-addr.arpa domain name pointer virt-7yvsjn.psf.osuosl.org.
Are you using an RSA key?
-- Ned Deily nad@acm.org -- []
On 03/24/2013 11:10 PM, Ned Deily wrote:
On Mar 24, 2013, at 21:02 , Roger Serwy <roger.serwy@gmail.com> wrote:
What should be the ssh fingerprint be for hg.python.org? I am receiving 63:75:9b:14:b7:b2:dc:e7:cd:42:d7:19:48:6a:68:8e, but I can't verify if it's correct. I currently get:
The authenticity of host 'hg.python.org (140.211.10.72)' can't be established. RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01.
$ host 140.211.10.72 72.10.211.140.in-addr.arpa domain name pointer virt-7yvsjn.psf.osuosl.org.
Are you using an RSA key? It looks like my ssh is using ECDSA as the host key algorithm by default. When I force it to use ssh-rsa, then I receive the same fingerprint you have.
Should this be documented somewhere?
On Mar 24, 2013, at 21:32 , Roger Serwy <roger.serwy@gmail.com> wrote:
It looks like my ssh is using ECDSA as the host key algorithm by default. When I force it to use ssh-rsa, then I receive the same fingerprint you have.
Should this be documented somewhere?
I believe RSA keys are generally recommended for SSH work. You could add it to the developer's guide. Another tip that may not be documented: to improve transfer speed, enable compression at the ssh level for the hg.python.org connection. If you are using a Unix-y .ssh/config file, you can add it there to the host entry for hg.python.org.
http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa
-- Ned Deily nad@acm.org -- []
You missed that ECDSA != DSA.
On Sun, Mar 24, 2013 at 9:47 PM, Ned Deily <nad@acm.org> wrote:
On Mar 24, 2013, at 21:32 , Roger Serwy <roger.serwy@gmail.com> wrote:
It looks like my ssh is using ECDSA as the host key algorithm by default. When I force it to use ssh-rsa, then I receive the same fingerprint you have.
Should this be documented somewhere?
I believe RSA keys are generally recommended for SSH work. You could add it to the developer's guide. Another tip that may not be documented: to improve transfer speed, enable compression at the ssh level for the hg.python.org connection. If you are using a Unix-y .ssh/config file, you can add it there to the host entry for hg.python.org.
http://serverfault.com/questions/40071/ssh-keypair-generation-rsa-or-dsa
-- Ned Deily nad@acm.org -- []
python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
On Mon, Mar 25, 2013 at 1:26 AM, Ned Deily <nad@acm.org> wrote:
On Mar 24, 2013, at 21:51 , Jeffrey Yasskin <jyasskin@gmail.com> wrote:
You missed that ECDSA != DSA.
Good! Someone is paying attention. :=) Should we all be preferring one for pydev work?
We have new contributors (who don't have a pre-existing key) use RSA: http://docs.python.org/devguide/faq.html#id1 .
We have new contributors (who don't have a pre-existing key) use RSA: http://docs.python.org/devguide/faq.html#id1 .
I was trying to avoid a man-in-the-middle attack by verifying the server's key fingerprint. Those server fingerprints should be documented.
We have new contributors (who don't have a pre-existing key) use RSA: http://docs.python.org/devguide/faq.html#id1 .
I was trying to avoid a man-in-the-middle attack by verifying the server's key fingerprint. Those server fingerprints should be documented.
Well if a MITM attacker tries to use your ssh access to do anything nasty, another developer will probably notice quite quickly. (the only "nasty thing" the ssh access allows you to do is "hg push", IIRC; still, that can trigger code execution on the buildbots)
Regards
Antoine.
Well if a MITM attacker tries to use your ssh access to do anything nasty, another developer will probably notice quite quickly. (the only "nasty thing" the ssh access allows you to do is "hg push", IIRC; still, that can trigger code execution on the buildbots)
Sure, but it would be better to actually have the fingerprints to avoid the MITM attack altogether.
Can someone log into hg.python.org and get the public keys for the server?
On 3/26/2013 8:39 AM, Roger Serwy wrote:
Well if a MITM attacker tries to use your ssh access to do anything nasty, another developer will probably notice quite quickly. (the only "nasty thing" the ssh access allows you to do is "hg push", IIRC; still, that can trigger code execution on the buildbots)
Sure, but it would be better to actually have the fingerprints to avoid the MITM attack altogether.
I completely agree. "We'll notice the damage" is not a great reason to avoid publishing the fingerprints.
Can someone log into hg.python.org and get the public keys for the server?
Not me. But from my hosts, I get: RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01.
-- Eric.
Can someone log into hg.python.org and get the public keys for the server?
Not me. But from my hosts, I get: RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01.
Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;)
Also, what is the command to use on the server to get the public key fingerprint?
Regards
Antoine.
Le mardi 26 mars 2013 à 09:03 -0500, Roger Serwy a écrit :
Also, what is the command to use on the server to get the public key fingerprint?
Run "ssh-keygen -lf /path/to/public/key.pub" for the RSA, DSA, and ECDSA keys.
$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key 256 63:75:9b:14:b7:b2:dc:e7:cd:42:d7:19:48:6a:68:8e root@gimager (ECDSA) $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key 1024 ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01 root@boomslang (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key 1024 d8:88:d2:5e:5f:1c:a3:f5:5f:ae:0e:d2:ec:f0:c8:a3 root@boomslang (DSA)
Regards
Antoine.
Am 26.03.13 14:57, schrieb Antoine Pitrou:
Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;)
In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-)
Regards, Martin
Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit :
Am 26.03.13 14:57, schrieb Antoine Pitrou:
Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;)
In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-)
That's assuming someone actually validated my PGP fingerprint through a secure channel, which probably hasn't happened in recent times!
Regards
Antoine.
On 26/03/2013 20:40, Antoine Pitrou wrote:
Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit :
Am 26.03.13 14:57, schrieb Antoine Pitrou:
Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;)
In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-)
That's assuming someone actually validated my PGP fingerprint through a secure channel, which probably hasn't happened in recent times!
Obligatory xkcd reference:
TJG
In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-)
And hope that I have Antoine's correct public PGP key... And down the rabbit hole we go.
Thank you everyone for helping.
- Roger
Am 25.03.13 17:34, schrieb Antoine Pitrou:
We have new contributors (who don't have a pre-existing key) use RSA: http://docs.python.org/devguide/faq.html#id1 .
I was trying to avoid a man-in-the-middle attack by verifying the server's key fingerprint. Those server fingerprints should be documented.
Well if a MITM attacker tries to use your ssh access to do anything nasty, another developer will probably notice quite quickly. (the only "nasty thing" the ssh access allows you to do is "hg push", IIRC; still, that can trigger code execution on the buildbots)
I thought the same first, but for the sufficiently-paranoid there actually is a threat in spoofing hg.python.org:
- if you are not talking to the right server, hg pull might bring a trojan horse on your system, which you might then run into when trying to build Python.
OTOH, there is actually *no* threat at all for men-in-the-*middle*. Anybody spoofing hg.python.org could not simultaneously connect successfully to the actual hg.python.org, since they don't have any authorized key, and since they cannot trick the actual client in providing the proper token that the server would verify, see e.g.
http://utcc.utoronto.ca/~cks/space/blog/tech/SshAndMitM
Regards, Martin
Am 25.03.2013 05:51, schrieb Jeffrey Yasskin:
You missed that ECDSA != DSA.
Yeah, Elliptic Curve DSA is as secure as RSA while using much shorter keys. ECDSA verification used to be much slower so you may want to prefer RSA for short time connections like hg pull and push.
Christian
Note that I believe ECDSA is now the default for host keys for OpenSSH. At the least, my systems (Gentoo) switched to them after an upgrade a a bit a go.
--David
On Mon, 25 Mar 2013 13:29:48 +0100, Christian Heimes <christian@python.org> wrote:
Am 25.03.2013 05:51, schrieb Jeffrey Yasskin:
You missed that ECDSA != DSA.
Yeah, Elliptic Curve DSA is as secure as RSA while using much shorter keys. ECDSA verification used to be much slower so you may want to prefer RSA for short time connections like hg pull and push.
Christian
python-committers mailing list python-committers@python.org http://mail.python.org/mailman/listinfo/python-committers
participants (10)
-
"Martin v. Löwis" -
Antoine Pitrou -
Brett Cannon -
Christian Heimes -
Eric V. Smith -
Jeffrey Yasskin -
Ned Deily -
R. David Murray -
Roger Serwy -
Tim Golden