On Wed, Dec 20, 2006 at 01:16:45PM +0100, Jens Seidel wrote: > Whenever I get complains about a wrong host key ssh provides also the > solution. The message should be similar to: > The host key doesn't match the one in ~/.ssh/known_hosts line 111. > > Just edit this file and remove this affected line containing the old > key. During the next connection ssh asks you whether you accept the new > connection and adds the new key to known_hosts. That certainly defeats the usefulness of SSH, doesn't it? How do you know you are not being duped by a MITM [1] attack and providing your password to somebody else? See http://db.debian.org/doc-hosts.html As for Alioth, you should check the fingerprint posted at http://lists.debian.org/debian-devel-announce/2006/10/msg00029.html (as described in http://wiki.debian.org/AliothSVN) If you really want to make sure, you would have to download the GPG/PGP signature and check that the signature belongs to "Roland Mas". That's actually quite tricky to do with the web archives so, if you trust me (and my signature) this should be ok: Alioth's valid signatures are now these: 1024 fe:65:bb:fc:43:81:5a:c0:5c:84:b7:cc:62:58:3c:64 ssh_host_dsa_key.pub 1024 f7:fa:20:ca:10:15:ad:a4:43:5d:1c:21:fa:10:da:a9 ssh_host_rsa_key.pub If you see those being presented when you remove the key from your ~/.ssh/known_hosts and connect to the SVN server you are OK. BTW, there's a very good (and in depth) article on SSH host key protection for those interested at http://www.securityfocus.com/infocus/1806 Regards Javier [1] MITM == man in the middle
Attachment:
signature.asc
Description: Digital signature