Re: F29 / Rawhide - Bogus ssh host key mismatch errors mentioning "rsa-sha2-256"
On Thu, 2018-09-27 at 11:18 -0400, Robert Moskowitz wrote: > > On 9/25/18 1:27 AM, Adam Williamson wrote: > > Hey folks! Just a heads up, if anyone on F29 or Rawhide finds that > > suddenly ssh connections are failing, claiming the host key does not > > match and asking for a 'rsa-sha2-256' key: a mysterious hero known only > > as 'sedrubal' figured out that this is caused by a crypto-policies > > update, this one - > > > > https://bodhi.fedoraproject.org/updates/FEDORA-2018-854e0caf7b > > > > you can get back to normal by downgrading back to this build: > > > > https://koji.fedoraproject.org/koji/buildinfo?buildID=1133273 > > > > (for both F29 and Rawhide). We've got enough negative karma on the > > update now that it should be removed from updates-testing on the next > > push, but some folks will have got the update already. I'll ask tmraz > > if he can either fix it promptly or revert it temporarily, for Rawhide > > users. > > > > Sorry for the trouble! > > You mean like this I am getting in my ssh started vncserver that I > worked so hard on yesterday? > > # systemctl -l --no-pager status vncserver@:1 > ● vncserver@:1.service - Remote desktop service (VNC) > Loaded: loaded (/etc/systemd/system/vncserver@:1.service; enabled; > vendor preset: disabled) > Active: failed (Result: exit-code) since Fri 2018-06-22 11:12:54 > EDT; 3 months 5 days ago >Process: 682 ExecStart=/bin/sh -c /usr/bin/ssh -i .ssh/id_rsa_vnchack > localhost /usr/bin/vncserver -fg :1 (code=exited, status=255) >Process: 655 ExecStartPre=/bin/sh -c /usr/bin/ssh -i > .ssh/id_rsa_vnchack localhost /usr/bin/vncserver -kill :1 > /dev/null > 2>&1 || : (code=exited, status=0/SUCCESS) > Main PID: 682 (code=exited, status=255) > > Jun 22 11:12:54 localhost sh[682]: It is also possible that a host key > has just been changed. > Jun 22 11:12:54 localhost sh[682]: The fingerprint for the RSA key sent > by the remote host is > Jun 22 11:12:54 localhost sh[682]: > SHA256:bxBBsme1XjvFo5g25XfSRhUMbk7JVl9Bdp8zp7vPTHs. > Jun 22 11:12:54 localhost sh[682]: Please contact your system administrator. > Jun 22 11:12:54 localhost sh[682]: Add correct host key in > /home/rgm/.ssh/known_hosts to get rid of this message. > Jun 22 11:12:54 localhost sh[682]: Offending ECDSA key in > /home/rgm/.ssh/known_hosts:1 > Jun 22 11:12:54 localhost sh[682]: RSA host key for localhost has > changed and you have requested strict checking. > Jun 22 11:12:54 localhost sh[682]: Host key verification failed. > Jun 22 11:12:54 localhost systemd[1]: vncserver@:1.service: Main process > exited, code=exited, status=255/n/a > Jun 22 11:12:54 localhost systemd[1]: vncserver@:1.service: Failed with > result 'exit-code'. Yup, looks like the same problem. > I see I upgraded openssh yesterday evening: > > Upgraded: openssh-7.8p1-1.fc29.armv7hl > > And now I got: openssh-server-7.8p1-3.fc29.armv7hl > > and I could start vncserver via ssh. It would actually be an update to crypto-policies that fixed it, not openssh. > thanks for identifying the problem and getting it fixed so promptly. Thanks, but I can't take the credit: that goes to sedrubal (who first pointed it out in the update) and mcatanzaro (who pinged me about it) :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: F29 / Rawhide - Bogus ssh host key mismatch errors mentioning "rsa-sha2-256"
On Thu, Sep 27, 2018 at 10:23 AM Adam Williamson wrote: > > Hey folks! Just a heads up, if anyone on F29 or Rawhide finds that > suddenly ssh connections are failing, claiming the host key does not > match and asking for a 'rsa-sha2-256' key: a mysterious hero known only > as 'sedrubal' figured out that this is caused by a crypto-policies > update, this one - > > https://bodhi.fedoraproject.org/updates/FEDORA-2018-854e0caf7b > > you can get back to normal by downgrading back to this build: > > https://koji.fedoraproject.org/koji/buildinfo?buildID=1133273 > > (for both F29 and Rawhide). We've got enough negative karma on the > update now that it should be removed from updates-testing on the next > push, but some folks will have got the update already. I'll ask tmraz > if he can either fix it promptly or revert it temporarily, for Rawhide > users. > Alternately, pull the fixed version from https://bodhi.fedoraproject.org/updates/FEDORA-2018-95580e520c which is headed for stable on the next push. ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: F29 / Rawhide - Bogus ssh host key mismatch errors mentioning "rsa-sha2-256"
On 9/25/18 1:27 AM, Adam Williamson wrote: Hey folks! Just a heads up, if anyone on F29 or Rawhide finds that suddenly ssh connections are failing, claiming the host key does not match and asking for a 'rsa-sha2-256' key: a mysterious hero known only as 'sedrubal' figured out that this is caused by a crypto-policies update, this one - https://bodhi.fedoraproject.org/updates/FEDORA-2018-854e0caf7b you can get back to normal by downgrading back to this build: https://koji.fedoraproject.org/koji/buildinfo?buildID=1133273 (for both F29 and Rawhide). We've got enough negative karma on the update now that it should be removed from updates-testing on the next push, but some folks will have got the update already. I'll ask tmraz if he can either fix it promptly or revert it temporarily, for Rawhide users. Sorry for the trouble! You mean like this I am getting in my ssh started vncserver that I worked so hard on yesterday? # systemctl -l --no-pager status vncserver@:1 ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@:1.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2018-06-22 11:12:54 EDT; 3 months 5 days ago Process: 682 ExecStart=/bin/sh -c /usr/bin/ssh -i .ssh/id_rsa_vnchack localhost /usr/bin/vncserver -fg :1 (code=exited, status=255) Process: 655 ExecStartPre=/bin/sh -c /usr/bin/ssh -i .ssh/id_rsa_vnchack localhost /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Main PID: 682 (code=exited, status=255) Jun 22 11:12:54 localhost sh[682]: It is also possible that a host key has just been changed. Jun 22 11:12:54 localhost sh[682]: The fingerprint for the RSA key sent by the remote host is Jun 22 11:12:54 localhost sh[682]: SHA256:bxBBsme1XjvFo5g25XfSRhUMbk7JVl9Bdp8zp7vPTHs. Jun 22 11:12:54 localhost sh[682]: Please contact your system administrator. Jun 22 11:12:54 localhost sh[682]: Add correct host key in /home/rgm/.ssh/known_hosts to get rid of this message. Jun 22 11:12:54 localhost sh[682]: Offending ECDSA key in /home/rgm/.ssh/known_hosts:1 Jun 22 11:12:54 localhost sh[682]: RSA host key for localhost has changed and you have requested strict checking. Jun 22 11:12:54 localhost sh[682]: Host key verification failed. Jun 22 11:12:54 localhost systemd[1]: vncserver@:1.service: Main process exited, code=exited, status=255/n/a Jun 22 11:12:54 localhost systemd[1]: vncserver@:1.service: Failed with result 'exit-code'. I see I upgraded openssh yesterday evening: Upgraded: openssh-7.8p1-1.fc29.armv7hl And now I got: openssh-server-7.8p1-3.fc29.armv7hl and I could start vncserver via ssh. thanks for identifying the problem and getting it fixed so promptly. ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Re: F29 / Rawhide - Bogus ssh host key mismatch errors mentioning "rsa-sha2-256"
On Thu, Sep 27, 2018 at 9:22 AM Adam Williamson wrote: > Hey folks! Just a heads up, if anyone on F29 or Rawhide finds that > suddenly ssh connections are failing, claiming the host key does not > match and asking for a 'rsa-sha2-256' key: a mysterious hero known only > as 'sedrubal' figured out that this is caused by a crypto-policies > update, this one - > > https://bodhi.fedoraproject.org/updates/FEDORA-2018-854e0caf7b > > you can get back to normal by downgrading back to this build: > > https://koji.fedoraproject.org/koji/buildinfo?buildID=1133273 > > (for both F29 and Rawhide). We've got enough negative karma on the > update now that it should be removed from updates-testing on the next > push, but some folks will have got the update already. I'll ask tmraz > if he can either fix it promptly or revert it temporarily, for Rawhide > users. > This may not be limited to F29... I noticed this on F28 several weeks ago and had to go in and remove entries from known_hosts... Thanks, Richard ___ test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org