"Jaime E. Villate" <[EMAIL PROTECTED]> writes: > On Sun, Aug 03, 2003 at 10:43:21PM +0200, Simon Josefsson wrote: >> If the SSH host key has really changed, I think it would be good to >> announce it somewhere. Is there a PGP signed announcement channel >> from the savannah system hackers? I think there should be one. >> >> FWIW, the ssh host key appear to have changed from my point of view >> within the latest 24 hours. > Yes. I was trying a newer version of ssh and when I downgraded to the original > version, a new key was generated. Sorry about it. We'll try to post an > announcemnt.
I noticed the announcement (thanks), but the key has changed again?! The key below doesn't match the one in the announcement. Also, the announcements aren't signed. If someone is able to attack savannah in a way that modify RSA host keys, they most likely can add a unsigned announcement to unprotected HTTP that say the SSH host key has changed... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is 66:f4:9a:7e:e3:a8:c5:16:d1:88:aa:ef:3e:06:75:30. Please contact your system administrator. Add correct host key in /home/jas/.ssh/known_hosts to get rid of this message. Offending key in /home/jas/.ssh/known_hosts:64 RSA1 host key for subversions.gnu.org has changed and you have requested strict checking. Host key verification failed. cvs [update aborted]: end of file from server (consult above messages if any) _______________________________________________ Savannah-hackers mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/savannah-hackers
