Hi, I wanted to login on gluck today and stumbled on that: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is ca:59:44:a0:0d:9e:5c:45:39:2b:a0:75:9a:d4:45:fe. Please contact your system administrator. [...] OK. This is probably caused by the reinstallation mentioned on http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html. But replacing an ssh key is not something to take lightly, IMHO. Right, I can compare the advertised fingerprint with that published on: https://db.debian.org/machines.cgi?host=gluck Both are identical. But: 1. There is also: * Entry created: 0000/00/00 00:00:00 UTC * Entry modified: 0000/00/00 00:00:00 UTC which is not reassuring. 2. Even worse, the page has: Last Modified: Tue, Feb 1 19:13:06 UTC 2005 which is *way before* the compromize. Ugh. 2. I have to trust the integrity of db.debian.org. I think it would be much better if someone from debian-admin would be so kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only have to trust that James Troup and Martin Schulze[1] take good care of their GPG keys. That would make me more comfortable replacing my current entry for gluck in ~/.ssh/known_hosts. Thoughts? Does that already exist and I missed it? (Google didn't help) Thanks. [1] Or any other person in charge of the machines, the point being, *few* of them, and people I really have to trust when using Debian anyway. -- Florent
Attachment:
pgpidbVkG8FYd.pgp
Description: PGP signature