Re: [python-committers] SSH fingerprint
Well if a MITM attacker tries to use your ssh access to do anything nasty, another developer will probably notice quite quickly. (the only "nasty thing" the ssh access allows you to do is "hg push", IIRC; still, that can trigger code execution on the buildbots) Sure, but it would be better to actually have the fingerprints to avoid the MITM attack altogether. Can someone log into hg.python.org and get the public keys for the server? ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
On 3/26/2013 8:39 AM, Roger Serwy wrote: > >> Well if a MITM attacker tries to use your ssh access to do anything >> nasty, >> another developer will probably notice quite quickly. >> (the only "nasty thing" the ssh access allows you to do is "hg push", >> IIRC; still, that can trigger code execution on the buildbots) >> >> > Sure, but it would be better to actually have the fingerprints to avoid > the MITM attack altogether. I completely agree. "We'll notice the damage" is not a great reason to avoid publishing the fingerprints. > Can someone log into hg.python.org and get the public keys for the server? Not me. But from my hosts, I get: RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01. -- Eric. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
>> Can someone log into hg.python.org and get the public keys for the >> server? > > Not me. But from my hosts, I get: > RSA key fingerprint is ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01. Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;) Also, what is the command to use on the server to get the public key fingerprint? Regards Antoine. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Also, what is the command to use on the server to get the public key fingerprint? Run "ssh-keygen -lf /path/to/public/key.pub" for the RSA, DSA, and ECDSA keys. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Le mardi 26 mars 2013 à 09:03 -0500, Roger Serwy a écrit : > > > > Also, what is the command to use on the server to get the public key > > fingerprint? > > > > > Run "ssh-keygen -lf /path/to/public/key.pub" for the RSA, DSA, and ECDSA > keys. $ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key 256 63:75:9b:14:b7:b2:dc:e7:cd:42:d7:19:48:6a:68:8e root@gimager (ECDSA) $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key 1024 ec:98:fe:7b:e1:0f:88:c5:93:37:83:64:a4:cc:aa:01 root@boomslang (RSA) $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key 1024 d8:88:d2:5e:5f:1c:a3:f5:5f:ae:0e:d2:ec:f0:c8:a3 root@boomslang (DSA) Regards Antoine. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Am 26.03.13 13:56, schrieb Eric V. Smith: > I completely agree. "We'll notice the damage" is not a great reason to > avoid publishing the fingerprints. IMO, the proper way is to publish SSHFP records in DNS. Unfortunately, DynECT currently does not support RFC 6594. Regards, Martin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit : > Am 26.03.13 14:57, schrieb Antoine Pitrou: > > Well I'm not sure how logging in would be an improvement, since the person > > logging in could also be the victim of a MITM attack ;) > > In addition, the email you sent might be subject to MITM, either when > you were submitting it, or when it was transmitted from python.org to > Roger's SMTP server. So you really need to PGP sign it :-) That's assuming someone actually validated my PGP fingerprint through a secure channel, which probably hasn't happened in recent times! Regards Antoine. ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Am 26.03.13 14:57, schrieb Antoine Pitrou: > Well I'm not sure how logging in would be an improvement, since the person > logging in could also be the victim of a MITM attack ;) In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-) Regards, Martin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
On 26/03/2013 20:40, Antoine Pitrou wrote: Le mardi 26 mars 2013 à 21:42 +0100, "Martin v. Löwis" a écrit : Am 26.03.13 14:57, schrieb Antoine Pitrou: Well I'm not sure how logging in would be an improvement, since the person logging in could also be the victim of a MITM attack ;) In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-) That's assuming someone actually validated my PGP fingerprint through a secure channel, which probably hasn't happened in recent times! Obligatory xkcd reference: http://xkcd.com/1181/ TJG ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
Am 25.03.13 17:34, schrieb Antoine Pitrou: > >>> We have new contributors (who don't have a pre-existing key) use RSA: >>> http://docs.python.org/devguide/faq.html#id1 . >> >> I was trying to avoid a man-in-the-middle attack by verifying the >> server's key fingerprint. Those server fingerprints should be documented. > > Well if a MITM attacker tries to use your ssh access to do anything nasty, > another developer will probably notice quite quickly. > (the only "nasty thing" the ssh access allows you to do is "hg push", > IIRC; still, that can trigger code execution on the buildbots) I thought the same first, but for the sufficiently-paranoid there actually is a threat in spoofing hg.python.org: - if you are not talking to the right server, hg pull might bring a trojan horse on your system, which you might then run into when trying to build Python. OTOH, there is actually *no* threat at all for men-in-the-*middle*. Anybody spoofing hg.python.org could not simultaneously connect successfully to the actual hg.python.org, since they don't have any authorized key, and since they cannot trick the actual client in providing the proper token that the server would verify, see e.g. http://utcc.utoronto.ca/~cks/space/blog/tech/SshAndMitM Regards, Martin ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] SSH fingerprint
In addition, the email you sent might be subject to MITM, either when you were submitting it, or when it was transmitted from python.org to Roger's SMTP server. So you really need to PGP sign it :-) And hope that I have Antoine's correct public PGP key... And down the rabbit hole we go. Thank you everyone for helping. - Roger ___ python-committers mailing list [email protected] http://mail.python.org/mailman/listinfo/python-committers
