[Python-Dev] SourceForge SSH silliness

[Tim Peters]

[Tim]
> Starting last night, I get this msg whenever I update Python code w/
> CVSROOT=:ext:tim_one@cvs.python.sourceforge.net:/cvsroot/python:
>
> """
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now
> (man-in-the-middle attack)!
> It is also possible that the host key has just been changed.
> Please contact your system administrator.
> Add correct host key in C:\Code/.ssh/known_hosts to get rid of
> this message.
> Password authentication is disabled to avoid trojan horses.
> """
>
> This is SourceForge's doing, and is permanent (they've changed
> keys on their end). ...

[Thomas Wouters]
> What sourceforge did was switch Linux distributions, and upgrade.
> The switch doesn't really matter for the SSH problem, because recent
> Debian and recent RedHat releases both use a new ssh, the OpenBSD
> ssh imlementation.
> Apparently, it isn't entirely backwards compatible to old versions of
> F-secure ssh. For one thing, it doesn't support the 'idea' cypher. This
> might or might not be your problem; if it is, you should get a decent
> message that gives a relatively clear message such as 'cypher type 'idea'
> not supported'.
> ... [and quite a bit more] ...

I hope you're feeling better today <wink>.  "The problem" was one the wng
msg spelled out:  "It is also possible that the host key has just been
changed.".  SF changed keys.  That's the whole banana right there.  Deleting
the sourceforge keys from known_hosts fixed it (== convinced ssh to install
new SF keys the next time I connected).