[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: alioth back online, some ssh keys changed

Holger Levsen <holger@layer-acht.org> writes:
> FTWwonder why alioth seems to be hacked now...
> this mail forwarding is inspired by two different mails wondering why the 
> "alioth" ssh host keys have changed


Thanks for forwarding this mail. I'm rather late to the game and only
now discovered the change in ssh keys when "git clone" complained at

> ----------  Forwarded Message  ----------
> Betreff: alioth back online
> Datum: Donnerstag, 21. November 2013
> Von: Stephen Gran <sgran@debian.org>
> An: Debian Infrastructure Announce <debian-infrastructure-
> announce@lists.debian.org>
>  · Update your SSH known keys.  You can find all debian.org ssh hostkeys
>    at [1] or on any debian.org system in /etc/ssh/ssh_known_hosts.  Or
>    you could just use the fingerprints in DNS (secured by DNSSEC).
> [1] https://db.debian.org/debian_known_hosts


I had a bit of a difficult time tracking down the fact that the new key
was valid. What would have made this much easier for me would have been
if the fingerprint of the new key had been included in a signed message
sent to debian-devel-announce@. It looks like that's exactly what you
did with a previous ssh-key change back in 2011[2].

An email like that would have been perfect since then, when ssh
presented me with the new fingerprint, I could have simply searched my
email, found your message advising of the key change, and been on my
way. Without this, I did have to do a bit of poking around before
someone pointed me to Holger's message in my personal email archive.

Additionally, I'd like to have the added trust of our system of signed
keys in addition to the SSL CA system (in which I have very little
trust) and DNSSEC (which I don't even know how to use, nor if I should
trust it any more than https:).

I did try to verify the new key by checking the /etc/ssh/ssh_known_keys
file on a machine for which I did have a valid key. But it looks like
that file is stale on at least the machine I checked
(wagner.debian.org). I'm filing a bug for that now.

For the sake of anyone else that might ever search their email for the
new fingerprint, here it is:

moszumanska:~$ ssh-keygen -l -f /etc/ssh/ssh_known_hosts -F git.debian.org
2048 d7:0b:26:5c:7a:5d:56:40:a9:e0:5d:f4:e1:70:88:bf git.debian.org (RSA)

Thanks for everything,



[1] Yes, I'm a bad Debian Developer and should be using Debian's
services more often.

[2] id:20110522102745.GA27270@varinia.lobefin.net

see also:


Attachment: pgpkJ00b5JMF7.pgp
Description: PGP signature

Reply to: