[python-committers] Possible "REMOTE HOST IDENTIFICATION HAS CHANGED!" Error.

Donald Stufft donald at stufft.io
Fri Jan 23 16:34:20 CET 2015 

Can you do ssh -v to that box and send me the output?


> On Jan 23, 2015, at 8:50 AM, Brett Cannon <brett at python.org> wrote:
> 
> I tried updating my checkout this morning and then I was given the warning. So I deleted the key from my known_hosts file, accepted the new one, but now I just keep getting my connection rejected:
> 
> remote: Received disconnect from 104.130.43.97: 2: Too many authentication failures for hg
> 
> abort: no suitable response from remote hg!
> 
> 
> 
> This this rejection going to timeout so I can eventually connect, and if so how long do I need to wait?
> 
> 
>> On Tue Jan 20 2015 at 11:55:08 AM Donald Stufft <donald at stufft.io> wrote:
>> Sending this to python-committers as well for anyone who doesn't keep up with
>> python-dev. If you've gotten this message twice now I'm sorry!
>> 
>> Just a heads up that people might see a "REMOTE HOST IDENTIFICATION HAS
>> CHANGED!" error when connecting to hg.python.org's SSH (or any other PSF
>> machine). The reason for this is that previously we allowed RSA, ECDSA, and
>> ED25519 host keys. However ECDSA relies on having an unbiased random number
>> generator on every connection and any bias in the random numbers can leak the
>> private key. Since these are running on VMs where we don't know for sure what
>> the quality is of the random numbers I've disabled the ECDSA host key.
>> 
>> The impact of this is if you had previously connected to a PSF machine, and
>> your client had the ECDSA key in your ~/.ssh/known_hosts file, that you'll
>> see an error like:
>> 
>>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
>>    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>>    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>>    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>>    It is also possible that a host key has just been changed.
>> 
>> The remediation is to remove the ECDSA for the PSF servers from your known
>> hosts and connect again and accept either the RSA or the ED25519 key when it
>> presents it.
>> 
>> The fingerprints for hg.python.org for both of those keys are:
>> 
>> $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
>> 2048 a0:12:52:50:4a:4b:db:43:ac:65:26:b6:6f:0a:f7:b8 /etc/ssh/ssh_host_rsa_key.pub (RSA)
>> $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
>> 256 1d:02:d1:d2:7b:a1:cb:e0:51:65:25:d7:19:dd:4e:74 /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
>> 
>> Sorry for any inconvience this causes!
>> 
>> ---
>> Donald Stufft
>> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> _______________________________________________
>> python-committers mailing list
>> python-committers at python.org
>> https://mail.python.org/mailman/listinfo/python-committers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20150123/94047a9c/attachment.html>

More information about the python-committers mailing list