[Python-Dev] SourceForge SSH silliness

[Thomas Wouters]

On Sun, Dec 17, 2000 at 02:50:55PM -0500, Tim Peters wrote:
> Starting last night, I get this msg whenever I update Python code w/
> CVSROOT=:ext:tim_one@cvs.python.sourceforge.net:/cvsroot/python:

> """
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the host key has just been changed.
> Please contact your system administrator.
> Add correct host key in C:\Code/.ssh/known_hosts to get rid of this message.
> Password authentication is disabled to avoid trojan horses.
> """

> This is SourceForge's doing, and is permanent (they've changed keys on their
> end).  Here's a link to a thread that may or may not make sense to you:

> http://sourceforge.net/forum/forum.php?forum_id=52867

> Deleting the sourceforge entries from my .ssh/known_hosts file worked for
> me.  But everyone in the thread above who tried it says that they haven't
> been able to get scp working again (I haven't tried it yet ...).

What sourceforge did was switch Linux distributions, and upgrade. The switch
doesn't really matter for the SSH problem, because recent Debian and recent
RedHat releases both use a new ssh, the OpenBSD ssh imlementation.
Apparently, it isn't entirely backwards compatible to old versions of
F-secure ssh. For one thing, it doesn't support the 'idea' cypher. This
might or might not be your problem; if it is, you should get a decent
message that gives a relatively clear message such as 'cypher type 'idea'
not supported'. You should be able to pass the '-c' option to scp/ssh to use
a different cypher, like 3des (aka triple-des.) Or maybe the windows
versions have a menu to configure that kind of thing :) 

Another possible problem is that it might not have good support for older
protocol versions. The 'current' protocol version, at least for 'ssh1', is
1.5. The one message on the sourceforge thread above that actually mentions
a version in the *cough* bugreport is using an older ssh that only supports
protocol version 1.4. Since that particular version of F-secure ssh has
known problems (why else would they release 16 more versions ?) I'd suggest
anyone with problems first try a newer version. I hope that doesn't break
WinCVS, but it would suck if it did :P

If that doesn't work, which is entirely possible, it might be an honest bug
in the OpenBSD ssh that Sourceforge is using. If anyone cared, we could do a
bit of experimenting with the openssh-2.0 betas installed by Debian woody
(unstable) to see if the problem occurs there as well.

-- 
Thomas Wouters <thomas@xs4all.net>

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!