[Wikitech-l] Gerrit SSH host keys will change on July 14th

Tue, 07 Jul 2020 15:00:21 -0700 

This is a heads-up that we are planning to replace the host keys
for the Gerrit SSH server at gerrit.wikimedia.org:29418.

The change is planned for Tuesday, July 14th in the PDT
morning right after the MediaWiki train, that's around 11:00 UTC.

(https://wikitech.wikimedia.org/wiki/Deployments#Tuesday,_July_14)

The RSA key will be replaced with a longer version and additionally we
will start to offer ecdsa_256, ecdsa_384, ecdsa_521 and ed25519.

The service will not be RSA-only anymore which some users had already
reported as an issue.

After the change on Gerrit, your git / git-review / direct ssh
commands are expected to fail with errors about mismatched or changed
host keys or host identification.

This is expected.
You will need to remove the old, no longer used host key, and verify
the new one.

To remove the old host key, follow the instructions on screen or
consult the manual of your SSH software. Once that is done, retry the
command, and you'll be prompted to verify the new host key.

You can find the new keys for verification in this email below and on
https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/gerrit.wikimedia.org:29418

If they match, confirm, and your command should continue. Once you
have successfully updated the host key you should no longer see any
errors.

If you are running any bots talking to gerrit-ssh please also update
their configuration accordingly and restart where needed.

https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/gerrit.wikimedia.org:29418

ssh_host_rsa_key
2048 SHA256:j9/pXXc9WzjQwYP0t7nlzqH9EBOTw6q7DgcfnamJtsY
gerrit-code-rev...@gerrit1001.wikimedia.org (RSA)

ssh_host_ecdsa_256_key
256 SHA256:58swSiByT+4LVqs30/FqJpEPj+Mwjtn3WJY5hitlEgM
gerrit-code-rev...@gerrit1001.wikimedia.org (ECDSA)

ssh_host_ecdsa_384_key
384 SHA256:vFEVzNGuagPmYiw9EIwBStzd0X+gtprZzOi8vbLxAfc
gerrit-code-rev...@gerrit1001.wikimedia.org (ECDSA)

ssh_host_ecdsa_521_key
521 SHA256:OWb1uenhapK7AFPfEB+NRxgfxhktZ1Q6C5eCy+VbgsY
gerrit-code-rev...@gerrit1001.wikimedia.org (ECDSA)

ssh_host_ed25519_key
256 SHA256:njCmWMsshq3MqQxyIFO36UNwCwzTamXERqylF1XJhd8
gerrit-code-rev...@gerrit1001.wikimedia.org (ED25519)


-- 
Daniel Zahn <dz...@wikimedia.org>
Operations Engineer

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to