[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] Conflicting ssh keys [Was: Using git to manage CVS webpages re
|
From: |
Vadim Zeitlin |
|
Subject: |
Re: [lmi] Conflicting ssh keys [Was: Using git to manage CVS webpages repository] |
|
Date: |
Thu, 18 Jan 2018 00:19:17 +0100 |
On Wed, 17 Jan 2018 22:40:22 +0000 Greg Chicares <address@hidden> wrote:
GC> Vadim--Happy New Year.
Thanks and to you too -- both the global and the per-user one!
GC> How would you suggest dealing with the problem
GC> that I seem to have gotten myself into below?
I'm not 100% sure. I hoped for something simple, like a Git question. Or
something not that simple, but still not too difficult, like CVS+Git one.
But ssh key management is the next level of complexity, so I'll just do my
best...
GC> On 2018-01-08 17:52, Greg Chicares wrote:
GC> [...]
GC> > (0) Update ECDSA host key
GC> >
GC> > This key has apparently changed since I used it last. Accepting the
GC> > new key, after verifying its fingerprint, allowed me to continue,
GC> > although this warning appeared each time:
GC> >
GC> > Warning: the ECDSA host key for 'cvs.sv.gnu.org' differs from the key for
the IP address '208.118.235.201'
GC> > Offending key for IP in /home/greg/.ssh/known_hosts:6
GC> > Matching host key in /home/greg/.ssh/known_hosts:7
GC> >
GC> > ..so I obliterated all keys for that host...
GC> >
GC> > ssh-keygen -f "/home/greg/.ssh/known_hosts" -R 208.118.235.201
GC> >
GC> > ..and re-accepted the new (fingerprint-verified) key.
GC>
GC> Now, for the first time since then, I try using git, but...
GC>
GC> /opt/lmi/src/lmi[0]$git status
GC> On branch master
GC> Your branch is ahead of 'origin/master' by 2 commits.
GC> (use "git push" to publish your local commits)
GC> nothing to commit, working tree clean
GC> /opt/lmi/src/lmi[0]$git push
GC> Warning: the RSA host key for 'git.sv.gnu.org' differs from the key for the
IP address '208.118.235.201'
GC> Offending key for IP in /home/greg/.ssh/known_hosts:7
GC> Matching host key in /home/greg/.ssh/known_hosts:1
GC> Are you sure you want to continue connecting (yes/no)? n
GC> Please type 'yes' or 'no': no
My first problem is that I just can't reproduce this at all. Maybe it's
due to a specific format of my ~/.ssh/known_hosts key which I (sometimes)
edit manually to make it more compact and share it more easily between
different machines (which I do using Git, of course, BTW). For me it looks
like this:
% fgrep sv.gnu.org ~/.ssh/known_hosts
git.sv.gnu.org,svn.savannah.nongnu.org,savannah.nongnu.org,cvs.sv.gnu.org,svn.sv.gnu.org,208.118.235.201
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAzFQovi+67xa+wymRz9u3plx0ntQnELBoNU4SCl3RkwSFZkrZsRTC0fTpOKatQNs1r/BLFoVt21oVFwIXVevGQwB+Lf0Z+5w9qwVAQNu/YUAFHBPTqBze4wYK/gSWqQOLoj7rOhZk0xtAS6USqcfKdzMdRWgeuZ550P6gSzEHfv0=
And connecting to both {git,cvs}.sv.gnu.org using either OpenSSL 6.7 (from
Jessie) or 7.6 (from Sid) works just fine, without any warnings. Just to be
clear, by "just fine" I mean that I can do "ssh -v" to either of these
hosts and see the login screen followed by an error about not being allowed
shell acess to the server, but this still means that there are no problems
with key verification anywhere.
So maybe you could just copy the line above to your ~/.ssh/known_hosts
(verifying that the keys match, of course), delete all the other entries
for these hosts and this would solve the problem? Of course, you'd still be
using RSA key and not ECDSA one.
But my second problem is that even if I comment out the line above and try
to connect, I do get a prompt about ECDSA key and after accepting it,
things still work perfectly fine for me. And if I uncomment the RSA line
they still stubbornly continue to work. So you could also copy these 2
lines:
% fgrep sv.gnu.org ~/.ssh/known_hosts
git.sv.gnu.org,svn.savannah.nongnu.org,savannah.nongnu.org,cvs.sv.gnu.org,svn.sv.gnu.org,208.118.235.201
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAzFQovi+67xa+wymRz9u3plx0ntQnELBoNU4SCl3RkwSFZkrZsRTC0fTpOKatQNs1r/BLFoVt21oVFwIXVevGQwB+Lf0Z+5w9qwVAQNu/YUAFHBPTqBze4wYK/gSWqQOLoj7rOhZk0xtAS6USqcfKdzMdRWgeuZ550P6gSzEHfv0=
git.sv.gnu.org,svn.savannah.nongnu.org,savannah.nongnu.org,cvs.sv.gnu.org,svn.sv.gnu.org,208.118.235.201
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP9c1Z2f4OHxymvLxqxQ/hY1g0ol0/iiXUrVFGZBBq4h5gD05c7Gw9rRrcrvF9XvumBvOghOQzDSZZLRWvFGocA=
and, provided there are no other mentions of neither sv.gnu.org nor
208.118.235.201 in your known_hosts file, I don't understand at all
why things don't work for you.
GC> I've read through this thread:
GC> https://savannah.gnu.org/support/?109343
GC> which is perhaps more readable via the mailing list:
GC> http://lists.gnu.org/archive/html/savannah-hackers/2017-06/msg00058.html
GC> The diagnostics I've copied above seem to me to suggest that gnu.org's
GC> distinct VCS and web servers have incompatible ssh-key requirements.
But they're not distinct, this is one and the same machine, so the only
explanation for being able to connect to it under one name and not the
other I see is having wrong/outdated entries in ~/.ssh/known_hosts -- yet
you don't have any.
GC> /opt/lmi/proprietary[0]$ssh -V
GC> OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017
So my only remaining hypothesis is that there is a bug in this OpenSSH
version which results in a bogus warning when a host has both RSA and ECDSA
key and that this bug was fixed in 7.6 that I'm testing with. If this is
indeed the case, you can either try updating to 7.6 from testing or
removing the RSA key because OpenSSH certainly shouldn't complain about
mismatching keys if there is only one of them.
GC> My seventh (offending) and first (matching) keys...
GC> Offending key for IP in /home/greg/.ssh/known_hosts:7
GC> Matching host key in /home/greg/.ssh/known_hosts:1
GC> ...are as follows:
GC>
GC> /opt/lmi/proprietary[0]$< ~/.ssh/known_hosts sed -e'1p;7p;d'
GC> |1|Wb/XWd1XH0zvkvxfCwMdunp/DcM=|guoNL7zTcsZuopnegcVCGEIM5dw= ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAzFQovi+67xa+wymRz9u3plx0ntQnELBoNU4SCl3RkwSFZkrZsRTC0fTpOKatQNs1r/BLFoVt21oVFwIXVevGQwB+Lf0Z+5w9qwVAQNu/YUAFHBPTqBze4wYK/gSWqQOLoj7rOhZk0xtAS6USqcfKdzMdRWgeuZ550P6gSzEHfv0=
GC> |1|bjVfA6AbW2nQtju/9MSyELNcZWk=|w0+3OcPbZZx2+ntYxUVIY5xd/f4=
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP9c1Z2f4OHxymvLxqxQ/hY1g0ol0/iiXUrVFGZBBq4h5gD05c7Gw9rRrcrvF9XvumBvOghOQzDSZZLRWvFGocA=
So can you try simply removing the first line?
BTW, I hate this host obfuscation so much that I have "HashKnownHosts no"
in my ~/.ssh/config and the readability of the lines above does nothing to
change my mind.
GC> I suppose I could just live with that, but I'd really like to know
GC> how to fix the cause of the problem if possible.
I can more or less guarantee you that things work fine with OpenSSH 7.6
and I'm almost sure that they should work with your version if you remove
the RSA key from the file. But, as always, I could be wrong -- please let
me know if I am and this doesn't work.
Good luck,
VZ