Alioth and SSH: restored

To: debian-devel-announce@lists.debian.org
Subject: Alioth and SSH: restored
From: Roland Mas <lolando@debian.org>
Date: Wed, 14 May 2008 18:07:54 +0200
Message-id: <[🔎] 87skwkg97p.fsf@mirexpress.internal.placard.fr.eu.org>
Mail-followup-to: debian-devel@lists.debian.org

Hi all,

You may have heard of recent troubles with SSH on Debian machines.
Alioth is handled slightly differently than the other boxes, so here's
the situation.

- A new SSH host key has been generated. Its fingerprint is
99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 and the known_hosts
line reads like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxuVlBnTWE9+g5w/uxuk7SmNLEmXPucZz8iE8kE02zaBxPFdlEKJUhUkkf11qkHp9eWVRMro75IRtOJjVLQNmlKjIw+IncqGvj7bvHcAuqYAwNOhuStPnk/W0jwcs52TkNv7MZprRJOrprJGDMSBhovhBNXYYD8kruhQXJRLV9wBWp9p8VrokBbxl/eKXVuvJfyZU20JmKbyLUPdB9vfQQr9o3btwM//A61WL8sFnnu7JfetbFNGmnO+AwIew/QLs/8BOrwk1RwrcuKcs1ULMTgmUK8/QCpM3I9BhLYl/ypxpADiJFSbTRqqzg5xU/UkNQ3NEmXL2G2A2UWLEuUd22Q== root@alioth

- A new SSL key has also been generated for HTTPS. Its SHA1
fingerprint is
FC:89:CF:26:00:5E:EE:BE:54:35:6E:7A:B6:3E:C3:65:EB:17:8F:38. If you
already have the new certificate from SPI, then the Alioth key
should already be trusted.

- All ~/.ssh/authorized_keys (and authorized_keys2) files have been
removed. The data in the database has been wiped too, so they won't
be regenerated until you re-submit your key on your account page.

- Keys submitted through the web interface are now filtered, and only
RSA keys end up in your authorized_keys file. Don't even try
putting DSA keys in your authorized_keys2 file, the use of that file
has been disabled (and it'll be deleted anyway).

- Updated openssh packages have been installed, so blacklisted (known
compromised) keys will be rejected by SSH.

- If you were previously using an RSA key and you *know* it's been
generated securely (not on a Debian or derivative system, or at
least two years ago), then *maybe* it's reasonable to re-upload it.
In all other cases (and, shall I say, in any case), we highly
recommend you regenerate a new RSA key pair.

- If you have read and understood all of the above, then you may start
logging onto Alioth with SSH keys again.

Roland,
on behalf of the Alioth team.
--
Roland Mas

A lesson for you all: never fall in love during a total eclipse.
-- Senex, in A Funny Thing Happened on the Way to the Forum

Attachment: pgpfIWNS3YKfZ.pgp
Description: PGP signature

Reply to:

Prev by Date: debian infrastructure ssh key logins disabled, passwords reset
Next by Date: Maintainer input on key rollovers
Previous by thread: debian infrastructure ssh key logins disabled, passwords reset
Next by thread: Maintainer input on key rollovers
Index(es):
- Date
- Thread