[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: D-I manual and SVN

On Wed, Dec 20, 2006 at 01:16:45PM +0100, Jens Seidel wrote:
> Whenever I get complains about a wrong host key ssh provides also the
> solution. The message should be similar to:
> The host key doesn't match the one in ~/.ssh/known_hosts line 111.
> Just edit this file and remove this affected line containing the old
> key. During the next connection ssh asks you whether you accept the new
> connection and adds the new key to known_hosts.

That certainly defeats the usefulness of SSH, doesn't it? How do you know you
are not being duped by a MITM [1] attack and providing your password to 
somebody else?

See http://db.debian.org/doc-hosts.html

As for Alioth, you should check the fingerprint posted at
(as described in http://wiki.debian.org/AliothSVN)

If you really want to make sure, you would have to download the GPG/PGP
signature and check that the signature belongs to "Roland Mas". That's
actually quite tricky to do with the web archives so, if you trust me (and my
signature) this should be ok:

Alioth's valid signatures are now these:
1024 fe:65:bb:fc:43:81:5a:c0:5c:84:b7:cc:62:58:3c:64 ssh_host_dsa_key.pub
1024 f7:fa:20:ca:10:15:ad:a4:43:5d:1c:21:fa:10:da:a9 ssh_host_rsa_key.pub

If you see those being presented when you remove the key from your
~/.ssh/known_hosts and connect to the SVN server you are OK.

BTW, there's a very good (and in depth) article on SSH host key protection for those
interested at http://www.securityfocus.com/infocus/1806



[1] MITM == man in the middle

Attachment: signature.asc
Description: Digital signature

Reply to: