Hello, the SSH host key of alioth.debian.org as given by Phil Hands in the previous mail was still the old key. The new one has the following fingerprint: 2048 99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 /etc/ssh/ssh_host_rsa_key.pub The full public key is: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxuVlBnTWE9+g5w/uxuk7SmNLEmXPucZz8iE8kE02zaBxPFdlEKJUhUkkf11qkHp9eWVRMro75IRtOJjVLQNmlKjIw+IncqGvj7bvHcAuqYAwNOhuStPnk/W0jwcs52TkNv7MZprRJOrprJGDMSBhovhBNXYYD8kruhQXJRLV9wBWp9p8VrokBbxl/eKXVuvJfyZU20JmKbyLUPdB9vfQQr9o3btwM//A61WL8sFnnu7JfetbFNGmnO+AwIew/QLs/8BOrwk1RwrcuKcs1ULMTgmUK8/QCpM3I9BhLYl/ypxpADiJFSbTRqqzg5xU/UkNQ3NEmXL2G2A2UWLEuUd22Q== root@alioth The same key is also used for the VCS related hosts: svn.debian.org, git.debian.org, bzr.debian.org, hg.debian.org, darcs.debian.org, arch.debian.org. Let me also give a quick summary of the security measures that we took. Shortly after the publication of the DSA, we installed the security update, generated a new SSH host key (see above), disabled all key based logins and removed all public SSH keys currently stored in the Gforge database. Now you're asked to apply security updates to your machine first, and then generate new SSH keys (using RSA preferrably) that you can register in your account with the web form available at: https://alioth.debian.org/account/editsshkeys.php In the upcoming days, we'll enhance the script that creates the authorized_keys file so that it refuses known weak keys and at that point, we'll re-enable key-based logins. Until then, you can continue your work as usual, but you have to use your password when logging on the server. If you lost the password, you can use this form to recover it: https://alioth.debian.org/account/lostpw.php We also replaced the SSL certificate used for the webserver (https://alioth.debian.org). The new certificate is signed by the certificate authority "ca.debian.org" run by Debian administrators which is itself signed by the SPI CA so that if you have accepted SPI as certificate authority (see http://lists.debian.org/debian-devel-announce/2008/05/msg00003.html to get the updated SPI CA cert), the browser should accept the Alioth certificate by default. Thank you for your comprehension. -- Raphaël Hertzog Le best-seller français mis à jour pour Debian Etch : http://www.ouaza.com/livre/admin-debian/
Attachment:
signature.asc
Description: Digital signature