Alioth update

To: debian-infrastructure-announce@lists.debian.org
Subject: Alioth update
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 14 May 2008 02:01:51 +0200
Message-id: <[🔎] 20080514000151.GA15229@ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-infrastructure-announce@lists.debian.org

Hello,

the SSH host key of alioth.debian.org as given by Phil Hands in the
previous mail was still the old key. The new one has the following fingerprint:
2048 99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 /etc/ssh/ssh_host_rsa_key.pub

The full public key is:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxuVlBnTWE9+g5w/uxuk7SmNLEmXPucZz8iE8kE02zaBxPFdlEKJUhUkkf11qkHp9eWVRMro75IRtOJjVLQNmlKjIw+IncqGvj7bvHcAuqYAwNOhuStPnk/W0jwcs52TkNv7MZprRJOrprJGDMSBhovhBNXYYD8kruhQXJRLV9wBWp9p8VrokBbxl/eKXVuvJfyZU20JmKbyLUPdB9vfQQr9o3btwM//A61WL8sFnnu7JfetbFNGmnO+AwIew/QLs/8BOrwk1RwrcuKcs1ULMTgmUK8/QCpM3I9BhLYl/ypxpADiJFSbTRqqzg5xU/UkNQ3NEmXL2G2A2UWLEuUd22Q== root@alioth

The same key is also used for the VCS related hosts: svn.debian.org,
git.debian.org, bzr.debian.org, hg.debian.org, darcs.debian.org,
arch.debian.org.

Let me also give a quick summary of the security measures that we took. Shortly
after the publication of the DSA, we installed the security update, generated a
new SSH host key (see above), disabled all key based logins and removed all
public SSH keys currently stored in the Gforge database. Now you're asked to
apply security updates to your machine first, and then generate new SSH keys
(using RSA preferrably) that you can register in your account with the web form
available at:
https://alioth.debian.org/account/editsshkeys.php

In the upcoming days, we'll enhance the script that creates the authorized_keys
file so that it refuses known weak keys and at that point, we'll re-enable
key-based logins. Until then, you can continue your work as usual, but you have
to use your password when logging on the server. If you lost the password,
you can use this form to recover it:
https://alioth.debian.org/account/lostpw.php

We also replaced the SSL certificate used for the webserver
(https://alioth.debian.org). The new certificate is signed by the certificate
authority "ca.debian.org" run by Debian administrators which is itself signed
by the SPI CA so that if you have accepted SPI as certificate authority (see
http://lists.debian.org/debian-devel-announce/2008/05/msg00003.html to get the
updated SPI CA cert), the browser should accept the Alioth certificate by default.

Thank you for your comprehension.
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Updated ssh_known_host file for debian.org machines
Next by Date: ssh public key auth via ldap enabled again
Previous by thread: Updated ssh_known_host file for debian.org machines
Next by thread: ssh public key auth via ldap enabled again
Index(es):
- Date
- Thread