Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.
Sending this to python-committers as well for anyone who doesn't keep up with python-dev. If you've gotten this message twice now I'm sorry! Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF machine). The reason for this is that previously we allowed RSA, ECDSA, and ED25519 host keys. However ECDSA relies on having an unbiased random number generator on every connection and any bias in the random numbers can leak the private key. Since these are running on VMs where we don't know for sure what the quality is of the random numbers I've disabled the ECDSA host key. The impact of this is if you had previously connected to a PSF machine, and your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll see an error like: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The remediation is to remove the ECDSA for the PSF servers from your known hosts and connect again and accept either the RSA or the ED25519 key when it presents it. The fingerprints for hg.python.org for both of those keys are: $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519) Sorry for any inconvience this causes! --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected: remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg abort: no suitable response from remote hg! This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait? On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald@stufft.io> wrote:
Sending this to python-committers as well for anyone who doesn't keep up with python-dev. If you've gotten this message twice now I'm sorry!
Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF machine). The reason for this is that previously we allowed RSA, ECDSA, and ED25519 host keys. However ECDSA relies on having an unbiased random number generator on every connection and any bias in the random numbers can leak the private key. Since these are running on VMs where we don't know for sure what the quality is of the random numbers I've disabled the ECDSA host key.
The impact of this is if you had previously connected to a PSF machine, and your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll see an error like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The remediation is to remove the ECDSA for the PSF servers from your known hosts and connect again and accept either the RSA or the ED25519 key when it presents it.
The fingerprints for hg.python.org for both of those keys are:
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
Sorry for any inconvience this causes!
--- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Can you do ssh -v to that box and send me the output?
On Jan 23, 2015, at 8:50 AM, Brett Cannon <brett@python.org> wrote:
I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected:
remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg
abort: no suitable response from remote hg!
This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait?
On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald@stufft.io> wrote: Sending this to python-committers as well for anyone who doesn't keep up with python-dev. If you've gotten this message twice now I'm sorry!
Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF machine). The reason for this is that previously we allowed RSA, ECDSA, and ED25519 host keys. However ECDSA relies on having an unbiased random number generator on every connection and any bias in the random numbers can leak the private key. Since these are running on VMs where we don't know for sure what the quality is of the random numbers I've disabled the ECDSA host key.
The impact of this is if you had previously connected to a PSF machine, and your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll see an error like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The remediation is to remove the ECDSA for the PSF servers from your known hosts and connect again and accept either the RSA or the ED25519 key when it presents it.
The fingerprints for hg.python.org for both of those keys are:
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
Sorry for any inconvience this causes!
--- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Looks like my id_rsa key is not being tried soon enough for the two-attempt threshold as the key that GitHub for Mac installed and my work key are being tried first (I tried specifying my id_rsa key with -i but that didn't seem to change anything): *> *ssh -v 104.130.43.97 OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 58: Applying options for *.* debug1: /etc/ssh_config line 68: Applying options for * debug1: /etc/ssh_config line 107: Deprecated option "globalknownhostsfile2" debug1: Connecting to 104.130.43.97 [104.130.43.97] port 22. debug1: Connection established. debug1: could not open key file '/etc/ssh_host_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: could not open key file '/etc/ssh_host_dsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ecdsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_rsa_key': No such file or directory debug1: could not open key file '/etc/ssh_host_ed25519_key': No such file or directory debug1: identity file /Users/bcannon/.ssh/identity type -1 debug1: identity file /Users/bcannon/.ssh/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/localhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/identity-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/id_rsa type 1 debug1: identity file /Users/bcannon/.ssh/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/localhost/id_rsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_dsa-cert type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa type -1 debug1: identity file /Users/bcannon/.ssh/clusterhost/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000 debug1: Miscellaneous failure (see text) No credentials cache file found debug1: An invalid name was supplied unknown mech-code 0 for mech 1 2 752 43 14 2 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 5 14 debug1: Miscellaneous failure (see text) unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10 debug1: An unsupported mechanism was requested unknown mech-code 0 for mech 1 3 5 1 5 2 7 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 2 5 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr umac-128-etm@openssh.com none debug1: kex: client->server aes128-ctr umac-128-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 debug1: Host '104.130.43.97' is known and matches the ED25519 host key. debug1: Found key in /Users/bcannon/.ssh/known_hosts:24 debug1: ssh_ed25519_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/bcannon/.ssh/github_rsa debug1: Authentications that can continue: publickey debug1: Offering ECDSA public key: corp/normal Received disconnect from 104.130.43.97: 2: Too many authentication failures for bcannon On Fri Jan 23 2015 at 10:34:25 AM Donald Stufft <donald@stufft.io> wrote:
Can you do ssh -v to that box and send me the output?
On Jan 23, 2015, at 8:50 AM, Brett Cannon <brett@python.org> wrote:
I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected:
remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg
abort: no suitable response from remote hg!
This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait?
On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald@stufft.io> wrote:
Sending this to python-committers as well for anyone who doesn't keep up with python-dev. If you've gotten this message twice now I'm sorry!
Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF machine). The reason for this is that previously we allowed RSA, ECDSA, and ED25519 host keys. However ECDSA relies on having an unbiased random number generator on every connection and any bias in the random numbers can leak the private key. Since these are running on VMs where we don't know for sure what the quality is of the random numbers I've disabled the ECDSA host key.
The impact of this is if you had previously connected to a PSF machine, and your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll see an error like:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.
The remediation is to remove the ECDSA for the PSF servers from your known hosts and connect again and accept either the RSA or the ED25519 key when it presents it.
The fingerprints for hg.python.org for both of those keys are:
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
Sorry for any inconvience this causes!
--- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
On Jan 23, 2015, at 04:16 PM, Brett Cannon wrote:
Looks like my id_rsa key is not being tried soon enough for the two-attempt threshold as the key that GitHub for Mac installed and my work key are being tried first (I tried specifying my id_rsa key with -i but that didn't seem to change anything):
I get this all the time when I add my Debian ssh key to ssh-agent and then try to connect to hosts on my LAN (which use a different key). I think this is a limitation of ssh-agent and if you search the web, you'll find various solutions, which I've used to varying degrees of success.
Basically you want to force ssh not to use the agent when connecting to the site (I haven't yet tried hg.python.org with multiple keys). E.g. in your ~/.ssh/config file:
Host hg.python.org IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes
HTH, -Barry
That did it! Thanks, Barry.
On Fri Jan 23 2015 at 1:20:40 PM Barry Warsaw <barry@python.org> wrote:
On Jan 23, 2015, at 04:16 PM, Brett Cannon wrote:
Looks like my id_rsa key is not being tried soon enough for the two-attempt threshold as the key that GitHub for Mac installed and my work key are being tried first (I tried specifying my id_rsa key with -i but that didn't seem to change anything):
I get this all the time when I add my Debian ssh key to ssh-agent and then try to connect to hosts on my LAN (which use a different key). I think this is a limitation of ssh-agent and if you search the web, you'll find various solutions, which I've used to varying degrees of success.
Basically you want to force ssh not to use the agent when connecting to the site (I haven't yet tried hg.python.org with multiple keys). E.g. in your ~/.ssh/config file:
Host hg.python.org IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes
HTH, -Barry
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
participants (3)
-
Barry Warsaw -
Brett Cannon -
Donald Stufft