In light of the Debian OpenSSL security issue (http://lists.debian.org/debian-security-announce/2008/msg00152.html) I've regenerated the server keys, even though they weren't affected according to the tools provided by the debian folks to check if the keys where blacklisted. Better safe than sorry and all that.
The new key fingerprints are: 67:fc:12:1f:e6:23:42:c7:9e:be:8a:2b:40:63:32:c3 (dsa) 49:60:1f:71:90:8b:cc:48:a2:29:f8:a2:3a:1a:53:43 (rsa)
When you try to push you'd see a message like this: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
Remove gitorious.org from your ~/.ssh/known_hosts and on the next push check that the fingerprints match the above, and accept if they do.
ever since this upgrade I cannot do any fetch or push operations on my
public repo.
I started experiencing this last evening, when all of a sudden such
operations started prompting for a password. Even after entering the
correct password, the prompt appeared again and again.
I tried removing and adding my ssh key at gitorious a couple of times,
but that did not help.
This morning I tried again and this time I saw the warning notice you
are mentioning on your post. I then removed the old gitorious.org
fingerprints and added the new ones, which worked. The problem is that
even after doing that, I keep getting a password prompt on the command
line every time I try to fetch or push.
I have deleted and re-added my (RSA) key at gitorious once more, but
this did not seem to change anything.
I'm using SSH, version OpenSSH_4.6p1 Debian-5ubuntu0.4, OpenSSL 0.9.8e
23 Feb 2007
Any help will be appreciated. Thanks.
Regards,
David.
On 14 Maig, 00:12, "Johan Sørensen" <jo...@johansorensen.com> wrote:
> In light of the Debian OpenSSL security issue
> (http://lists.debian.org/debian-security-announce/2008/msg00152.html)
> I've regenerated the server keys, even though they weren't affected
> according to the tools provided by the debian folks to check if the
> keys where blacklisted. Better safe than sorry and all that.
> The new key fingerprints are:
> 67:fc:12:1f:e6:23:42:c7:9e:be:8a:2b:40:63:32:c3 (dsa)
> 49:60:1f:71:90:8b:cc:48:a2:29:f8:a2:3a:1a:53:43 (rsa)
> When you try to push you'd see a message like this:
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)! It is also possible that the RSA host key has just been
> changed.
> Remove gitorious.org from your ~/.ssh/known_hosts and on the next push
> check that the fingerprints match the above, and accept if they do.
> ever since this upgrade I cannot do any fetch or push operations on my
> public repo.
> I started experiencing this last evening, when all of a sudden such
> operations started prompting for a password. Even after entering the
> correct password, the prompt appeared again and again.
> I tried removing and adding my ssh key at gitorious a couple of times,
> but that did not help.
> This morning I tried again and this time I saw the warning notice you
> are mentioning on your post. I then removed the old gitorious.org
> fingerprints and added the new ones, which worked. The problem is that
> even after doing that, I keep getting a password prompt on the command
> line every time I try to fetch or push.
> I have deleted and re-added my (RSA) key at gitorious once more, but
> this did not seem to change anything.
> I'm using SSH, version OpenSSH_4.6p1 Debian-5ubuntu0.4, OpenSSL 0.9.8e
> 23 Feb 2007
> Any help will be appreciated. Thanks.
> Regards,
> David.
> On 14 Maig, 00:12, "Johan Sørensen" <jo...@johansorensen.com> wrote:
> > Everyone,
> > In light of the Debian OpenSSL security issue
> > (http://lists.debian.org/debian-security-announce/2008/msg00152.html)
> > I've regenerated the server keys, even though they weren't affected
> > according to the tools provided by the debian folks to check if the
> > keys where blacklisted. Better safe than sorry and all that.
> > The new key fingerprints are:
> > 67:fc:12:1f:e6:23:42:c7:9e:be:8a:2b:40:63:32:c3 (dsa)
> > 49:60:1f:71:90:8b:cc:48:a2:29:f8:a2:3a:1a:53:43 (rsa)
> > When you try to push you'd see a message like this:
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> > Someone could be eavesdropping on you right now (man-in-the-middle
> > attack)! It is also possible that the RSA host key has just been
> > changed.
> > Remove gitorious.org from your ~/.ssh/known_hosts and on the next push
> > check that the fingerprints match the above, and accept if they do.
> ever since this upgrade I cannot do any fetch or push operations on my > public repo.
> I started experiencing this last evening, when all of a sudden such > operations started prompting for a password. Even after entering the > correct password, the prompt appeared again and again.
The SSH daemon was upgraded around that time.
> I have deleted and re-added my (RSA) key at gitorious once more, but > this did not seem to change anything.
> I'm using SSH, version OpenSSH_4.6p1 Debian-5ubuntu0.4, OpenSSL 0.9.8e > 23 Feb 2007
What's your key fingerprint? There's a couple that's been blacklisted because if the debian issue. Have you regenerated your keys according to the debian/ubuntu security advisory (see http://www.ubuntu.com/usn/usn-612-2)? I strongly encourage any Debian and Ubuntu users to that.
In the end, after reading http://www.ubuntu.com/usn/usn-612-2 I went
ahead with the "If in doubt, destroy the key and generate a new one."
advice.
So I destroyed my old key, generated a new one and uploaded it to
gitorious.
Now I can work with my repo, although there are a couple of issues:
* 'git push' _always_ prompts for a password (ok, so far)
* 'git fetch' _always_ prompts for a password *twice*
* 'git pull' _always_ prompts for a password *twice*
I do not know whether they are part of the normal behaviour, but in
any case I did not experience them before the openssh upgrade.
> In the end, after readinghttp://www.ubuntu.com/usn/usn-612-2I went
> ahead with the "If in doubt, destroy the key and generate a new one."
> advice.
> So I destroyed my old key, generated a new one and uploaded it to
> gitorious.
> Now I can work with my repo, although there are a couple of issues:
> * 'git push' _always_ prompts for a password (ok, so far)
> * 'git fetch' _always_ prompts for a password *twice*
> * 'git pull' _always_ prompts for a password *twice*
> I do not know whether they are part of the normal behaviour, but in
> any case I did not experience them before the openssh upgrade.
Andy Chambers wrote:
> On May 13, 11:12 pm, "Johan S rensen" <jo...@johansorensen.com> wrote:
> > Everyone,
> > Remove gitorious.org from your ~/.ssh/known_hosts and on the next push
> > check that the fingerprints match the above, and accept if they do.
> I followed the instructions above but am still unable to push.
> I get prompted for git@gitorious's password.
> Any clues as to what I'm doing wrong?
> Cheers,
> Andy
Hi Andy!
I just did push to new project and everything was working in my case.
Just in case asking, check over:
* did you uploaded your own newly generated public key to gitorious?
* did you delete old gitorious public key from your machine at ~/.ssh/
known_hosts (i deleted all this file and just got new public keys
again)
