PSA: replace your DSA keys for SSH
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied" errors, this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
cheers, Georg
On August 27, 2015 at 4:37:21 PM, Georg Brandl (g.brandl@gmx.net) wrote:
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied" errors, this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
Can we bump up the minimum on RSA keys? 1024 isn’t really enough anymore, ideally they’d be at least 4096 but 2048 is also OK.
Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Thu, Aug 27, 2015, at 16:36, Donald Stufft wrote:
On August 27, 2015 at 4:37:21 PM, Georg Brandl (g.brandl@gmx.net) wrote:
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied" errors, this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
Can we bump up the minimum on RSA keys? 1024 isn’t really enough anymore, ideally they’d be at least 4096 but 2048 is also OK.
Even better: send a ed25519 key as documented in the devguide.
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
On Thu, Aug 27, 2015, at 13:36, Georg Brandl wrote:
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied" errors, this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
cheers, Georg
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
On 7 October 2015 at 13:43, Benjamin Peterson <benjamin@python.org> wrote:
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
And for folks looking for an authenticated way of passing along key details, if you have a GitHub account, GitHub makes them available after you upload them. For example: https://github.com/ncoghlan.keys
Cheers, Nick.
On Thu, Aug 27, 2015, at 13:36, Georg Brandl wrote:
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied" errors, this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
cheers, Georg
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Do realize, though, that simply asking hgaccounts to take the keys from your GitHub key URL might not get you what you expect if you use GitHub Desktop as that app installs its own keys.
On Wed, 7 Oct 2015 at 03:05 Nick Coghlan <ncoghlan@gmail.com> wrote:
On 7 October 2015 at 13:43, Benjamin Peterson <benjamin@python.org> wrote:
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
And for folks looking for an authenticated way of passing along key details, if you have a GitHub account, GitHub makes them available after you upload them. For example: https://github.com/ncoghlan.keys
Cheers, Nick.
On Thu, Aug 27, 2015, at 13:36, Georg Brandl wrote:
Hi all,
newer OpenSSH versions (7.0+) default to not allowing ssh-dss keys for public key authentication. If you experience "permission denied"
errors,
this (currently) comes from the client side only and hg.python.org will accept these keys if you enable them using the PubkeyAcceptedKeyTypes option in your SSH config file.
Of course ssh-dss is being phased out for a reason; we'd like to invite everybody who has only DSA keys submitted for hg.python.org access to send an RSA (min. 1024 bits) or ED25519 key to hgaccounts@python.org.
cheers, Georg
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
On Oct 6, 2015, at 11:43 PM, Benjamin Peterson <benjamin@python.org> wrote:
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
That was rather sudden and harsh. Effectively, you just revoked my commit rights.
I'll wrestle with the new key submission as soon as I can. It would have been better though to have had all the devs upgraded *before* deleting their keys.
Raymond
On Wed, Oct 7, 2015, at 18:52, Raymond Hettinger wrote:
On Oct 6, 2015, at 11:43 PM, Benjamin Peterson <benjamin@python.org> wrote:
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
That was rather sudden and harsh. Effectively, you just revoked my commit rights.
I'm sorry. Most keys which I removed where for long–dormant comitters. Likely, no amount of waiting would have resulted in these keys being replaced. The sudden removal of DSA keys would have happened sooner or later anyway when we upgraded to a newer version of openssh.
I'll wrestle with the new key submission as soon as I can. It would have been better though to have had all the devs upgraded *before* deleting their keys.
[Benjamin Peterson <benjamin@python.org>]
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
That apparently was addressed to me - cool ;-)
Just noting that the Windows section of the devguide:
https://docs.python.org/devguide/faq.htmlshould probably be changed to say something other than the current:
Use PuTTYgen to generate your public key. Choose the
“SSH2 DSA” radio button,That may be a clue as to why Windows devs generated DSA keys to begin with ;-)
PuTTYgen also has a "SSH-2 RSA" radio button, and #-of-bits box into which 4096 can be typed.
On Wed, Oct 7, 2015, at 19:38, Tim Peters wrote:
[Benjamin Peterson <benjamin@python.org>]
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
That apparently was addressed to me - cool ;-)
Just noting that the Windows section of the devguide:
https://docs.python.org/devguide/faq.htmlshould probably be changed to say something other than the current:
Use PuTTYgen to generate your public key. Choose the “SSH2 DSA” radio button,That may be a clue as to why Windows devs generated DSA keys to begin with ;-)
PuTTYgen also has a "SSH-2 RSA" radio button, and #-of-bits box into which 4096 can be typed.
Thank you. I updated the page with exactly you suggest yesterday. The automatic doc building process unfortunately hadn't run yet.
On 8 October 2015 at 03:58, Benjamin Peterson <benjamin@python.org> wrote:
Just noting that the Windows section of the devguide:
https://docs.python.org/devguide/faq.htmlshould probably be changed to say something other than the current:
Use PuTTYgen to generate your public key. Choose the “SSH2 DSA” radio button,That may be a clue as to why Windows devs generated DSA keys to begin with ;-)
PuTTYgen also has a "SSH-2 RSA" radio button, and #-of-bits box into which 4096 can be typed.
Thank you. I updated the page with exactly you suggest yesterday. The automatic doc building process unfortunately hadn't run yet.
Ah. Presumably this means my current key no longer works and has been revoked. I had been reading the emails assuming that I was likely OK as a new committer, and not really understanding what all these acronyms meant. I guess I'll need to get around to redoing my keys as well...
In future cases like this, it might be worth publishing a list of who is affected and changing the docs *before* making the change :-)
Paul
On 8 October 2015 at 04:58, Benjamin Peterson <benjamin@python.org> wrote:
On Wed, Oct 7, 2015, at 19:38, Tim Peters wrote:
[Benjamin Peterson <benjamin@python.org>]
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
That apparently was addressed to me - cool ;-)
Just noting that the Windows section of the devguide:
https://docs.python.org/devguide/faq.htmlshould probably be changed to say something other than the current:
Use PuTTYgen to generate your public key. Choose the “SSH2 DSA” radio button,That may be a clue as to why Windows devs generated DSA keys to begin with ;-)
PuTTYgen also has a "SSH-2 RSA" radio button, and #-of-bits box into which 4096 can be typed.
Thank you. I updated the page with exactly you suggest yesterday. The automatic doc building process unfortunately hadn't run yet.
Something to watch in the future is MS's efforts to port OpenSSH to Windows: http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-up...
As that stabilises, it may be worth offering common OpenSSH based instructions for Windows as well.
Regards, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
On 10/7/2015 10:38 PM, Tim Peters wrote:
[Benjamin Peterson <benjamin@python.org>]
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
I sent a new one about 11 hours ago. I am still getting Putty Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)
Is anyone tending the mail box, or do I have to do something else?
Terry J. Reedy
People are reading it, just a matter of people having a checkout and time to get to the keys. If no one beats me to it I will personally work through the backlog tonight.
On Thu, 8 Oct 2015 at 10:07 Terry Reedy <tjreedy@udel.edu> wrote:
On 10/7/2015 10:38 PM, Tim Peters wrote:
[Benjamin Peterson <benjamin@python.org>]
As a followup to this, I have now removed all DSA keys. People who only had DSA keys will need to submit new keys to hgaccounts@.
I sent a new one about 11 hours ago. I am still getting Putty Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)
Is anyone tending the mail box, or do I have to do something else?
Terry J. Reedy
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
[Terry Reedy <tjreedy@udel.edu>, on SSH keys]
I sent a new one about 11 hours ago. I am still getting Putty Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)
Is anyone tending the mail box, or do I have to do something else?
My new one got installed about 11 hours ago, so someone is watching sometimes ;-)
Alas, SSH-related error messages are atrocious. Two things to check on your end:
Make sure Pageant has loaded your new key.
Make sure your
sshalias (probably set in your Mecurial.ini) also specifies your new key file.
For #2, here's what's in my Merurial.ini now:
ssh = "C:\Program Files\TortoiseHg\lib\TortoisePlink.exe" -ssh -2 -C -i C:\Code\.ssh\newkey.ppk
Screw up anything on either end, and you get the same useless error message :-(
I personally know Terry's key has not been installed yet. You will always get a reply email from whomever installs your new key that it was done and that you should test it.
This manual key management is yet another reason why we are going to get a new development process *somehow* in 2016.
On Thu, 8 Oct 2015 at 10:19 Tim Peters <tim.peters@gmail.com> wrote:
[Terry Reedy <tjreedy@udel.edu>, on SSH keys]
I sent a new one about 11 hours ago. I am still getting Putty Fatal Error Disconnected: No supported authentication methods available (server sent: publickey)
Is anyone tending the mail box, or do I have to do something else?
My new one got installed about 11 hours ago, so someone is watching sometimes ;-)
Alas, SSH-related error messages are atrocious. Two things to check on your end:
Make sure Pageant has loaded your new key.
Make sure your
sshalias (probably set in your Mecurial.ini) also specifies your new key file.For #2, here's what's in my Merurial.ini now:
ssh = "C:\Program Files\TortoiseHg\lib\TortoisePlink.exe" -ssh -2 -C -i C:\Code\.ssh\newkey.ppk
Screw up anything on either end, and you get the same useless error message :-(
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
On 10/8/2015 1:20 PM, Brett Cannon wrote:
I personally know Terry's key has not been installed yet. You will always get a reply email from whomever installs your new key that it was done and that you should test it.
Ignore the one I sent 12 hours ago: it was still DSA though with more bits. I just sent new RSA 4096 bits, and rechecked that *is* RSA.
This manual key management is yet another reason why we are going to get a new development process /somehow/ in 2016.
After thinking about it, I realized that auto accepting any key sent by just anyone is not a good idea either. To you, my email address is my id.
Fortunately, next release is at least 2 weeks off.
On Thu, 8 Oct 2015 at 10:19 Tim Peters <tim.peters@gmail.com <mailto:tim.peters@gmail.com>> wrote:
[Terry Reedy <tjreedy@udel.edu <mailto:tjreedy@udel.edu>>, on SSH keys] > I sent a new one about 11 hours ago. I am still getting > Putty Fatal Error > Disconnected: No supported authentication methods available > (server sent: publickey) > > Is anyone tending the mail box, or do I have to do something else? My new one got installed about 11 hours ago, so someone is watching sometimes ;-) Alas, SSH-related error messages are atrocious. Two things to check on your end: 1. Make sure Pageant has loaded your new key.
It had, and said DSA...
2. Make sure your `ssh` alias (probably set in your Mecurial.ini) also specifies your new key file.
For #2, here's what's in my Merurial.ini now: ssh = "C:\Program Files\TortoiseHg\lib\TortoisePlink.exe" -ssh -2 -C -i C:\Code\.ssh\newkey.ppk
Since I overwrote the old key file, the hg setting should be the same.
- Terry
On 10/8/2015 1:20 PM, Brett Cannon wrote:
You will always get a reply email from whomever installs your new key that it was done and that you should test it.
Perhaps follow
"29. How do I generate an SSH-2 public key?
All generated SSH keys should be sent to hgaccounts@python.org for adding to the list of keys. DSA keys are unacceptable."
with "Keys are added manually, usually within a day or so. When installed, a reply will be sent."
I could make that my test ;-).
participants (9)
-
Benjamin Peterson -
Brett Cannon -
Donald Stufft -
Georg Brandl -
Nick Coghlan -
Paul Moore -
Raymond Hettinger -
Terry Reedy -
Tim Peters