info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: Upcoming SSH Host Key Rotation for hg.mozilla.org
74 views
Skip to first unread message
Axel Hecht
Mar 31, 2016, 6:08:34 PM3/31/16
to
FYI.
-------- Forwarded Message --------
| Subject: | Upcoming SSH Host Key Rotation for hg.mozilla.org |
|---|---|
| Date: | Thu, 31 Mar 2016 14:39:15 -0700 |
| From: | Gregory Szorc <gsz...@mozilla.com> |
| To: | dev-versi...@lists.mozilla.org, dev-platform <dev-pl...@lists.mozilla.org>, Firefox Dev <firef...@mozilla.org>, release-e...@lists.mozilla.org |
This message serves as a notice that the *SSH host keys* for hg.mozilla.org will be rotated in the next ~24 hours. When connecting to hg.mozilla.org over SSH, your SSH client should warn that host keys have changed and refuse to connect until accepting/trusting the new host key. After 1st host key verification failure: 1) `ssh-keygen -R hg.mozilla.org` to remove the old host key 2) `ssh hg.mozilla.org` and verify the fingerprint of the new key matches one of the following: 256 SHA256:7MBAdqLe8+aSYkv+5/2LUUxd+WdgYcVSV+ZQVEKA7jA hg.mozilla.org (ED25519) 256 SHA1:Ft++OU96cvaREKNFCJ6AiuCpGac hg.mozilla.org (ED25519) 256 MD5:96:eb:3b:78:f5:ca:19:e2:0c:a0:95:ea:04:28:7d:26 hg.mozilla.org (ED25519) 4096 SHA256:RX2OK8A1KNWdxyu6ibIPeEGLBzc5vyQW/wd7RKjBehc hg.mozilla.org (RSA) 4096 SHA1:p2MGe4wSw8ZnQ5J9ShBk/6VA+Co hg.mozilla.org (RSA) 4096 MD5:1c:f9:cf:76:de:b8:46:d6:5a:a3:00:8d:3b:0c:53:77 hg.mozilla.org (RSA) Q: What host key types were changed? We dropped the DSA host key and added a ED25519 host key. The length of the RSA key has been increased from 2048 to 4096 bits. Q: Does this impact connections to https://hg.mozilla.org/? No. The x509 certificate to the https:// endpoint is remaining unchanged at this time. Q: Why is this being done? We are modernizing the server infrastructure of hg.mozilla.org. As part of this, we're bringing the hosts in compliance with Mozilla's SSH security guidelines (https://wiki.mozilla.org/Security/Guidelines/OpenSSH).
Axel Hecht
Apr 4, 2016, 11:48:15 AM4/4/16
to
This happened.
Axel
-------- Forwarded Message --------
| Subject: | Re: Upcoming SSH Host Key Rotation for hg.mozilla.org |
|---|
| Date: | Mon, 4 Apr 2016 08:36:54 -0700 |
|---|---|
| From: | Gregory Szorc <g...@mozilla.com> |
| To: | Gregory Szorc <gsz...@mozilla.com>, dev-versi...@lists.mozilla.org, dev-platform <dev-pl...@lists.mozilla.org>, Firefox Dev <firef...@mozilla.org>, release-e...@lists.mozilla.org |
This change was just made (we delayed because we didn't want to take extra risks on a Friday afternoon). A GPG signed document detailing the current keys is available at https://hg.mozilla.org/hgcustom/version-control-tools/raw-file/tip/docs/vcs-server-info.asc
). > _______________________________________________ firefox-dev mailing list firef...@mozilla.org https://mail.mozilla.org/listinfo/firefox-dev
Axel Hecht
Apr 4, 2016, 11:54:15 AM4/4/16
to
Also, gps wrote:
> We also changed the SSH server config to only support the "modern" set of
> ciphers, MACs, algorithms, etc from
> https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are
> running an old SSH client, it may not be able to connect.
>
> If you encounter problems connecting, complain in #vcs with a link to
> pastebinned `ssh -v` output so we can see what your client supports so we
> may consider adding legacy support on the server as a stop-gap. But
> upgrading your SSH client to something that supports modern crypto is
> highly preferred. More and more Mozilla systems will be adopting these
> "modern" SSH server settings. So you'll have to upgrade sometime.
> We also changed the SSH server config to only support the "modern" set of
> ciphers, MACs, algorithms, etc from
> https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are
> running an old SSH client, it may not be able to connect.
>
> If you encounter problems connecting, complain in #vcs with a link to
> pastebinned `ssh -v` output so we can see what your client supports so we
> may consider adding legacy support on the server as a stop-gap. But
> upgrading your SSH client to something that supports modern crypto is
> highly preferred. More and more Mozilla systems will be adopting these
> "modern" SSH server settings. So you'll have to upgrade sometime.
Kendall Libby
Apr 4, 2016, 4:15:55 PM4/4/16
to Gregory Szorc, dev-...@lists.mozilla.org, dev-platform, dev-version-control, Firefox Dev, release-e...@lists.mozilla.org
As part of this, SSH DSA keys were no longer being accepted by the server.
However, there is no easy way for most non-MoCo contributors to change
their SSH keys, whereas MoCo users and communitiy members with LDAP
accounts can (and should!) use login.mozilla.com to update their keys. So a
bunch of folks have been locked out with little recourse.
I've re-enabled the use of DSA keys on hg.mozilla.org, and we will follow
up in the next day or two with a plan for final retirement of DSA key
access. We're hoping to enable the DSA key blocking again in a week or two,
so if you can self-serve please do so.
K.
On Mon, Apr 4, 2016 at 11:52 AM, Gregory Szorc <g...@mozilla.com> wrote:
> We also changed the SSH server config to only support the "modern" set of
> ciphers, MACs, algorithms, etc from
> https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are
> running an old SSH client, it may not be able to connect.
>
> If you encounter problems connecting, complain in #vcs with a link to
> pastebinned `ssh -v` output so we can see what your client supports so we
> may consider adding legacy support on the server as a stop-gap. But
> upgrading your SSH client to something that supports modern crypto is
> highly preferred. More and more Mozilla systems will be adopting these
> "modern" SSH server settings. So you'll have to upgrade sometime.
>
> dev-version-control mailing list
> dev-versi...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-version-control
>
However, there is no easy way for most non-MoCo contributors to change
their SSH keys, whereas MoCo users and communitiy members with LDAP
accounts can (and should!) use login.mozilla.com to update their keys. So a
bunch of folks have been locked out with little recourse.
I've re-enabled the use of DSA keys on hg.mozilla.org, and we will follow
up in the next day or two with a plan for final retirement of DSA key
access. We're hoping to enable the DSA key blocking again in a week or two,
so if you can self-serve please do so.
K.
On Mon, Apr 4, 2016 at 11:52 AM, Gregory Szorc <g...@mozilla.com> wrote:
> We also changed the SSH server config to only support the "modern" set of
> ciphers, MACs, algorithms, etc from
> https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are
> running an old SSH client, it may not be able to connect.
>
> If you encounter problems connecting, complain in #vcs with a link to
> pastebinned `ssh -v` output so we can see what your client supports so we
> may consider adding legacy support on the server as a stop-gap. But
> upgrading your SSH client to something that supports modern crypto is
> highly preferred. More and more Mozilla systems will be adopting these
> "modern" SSH server settings. So you'll have to upgrade sometime.
>
> dev-versi...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-version-control
>
Fjoerfoks
Apr 6, 2016, 5:53:47 PM4/6/16
to dev-l10n
Hi all,
Can someone point out how to handle this on a Windows 8.1 platform?
Right now when I try to sync e a local repository, I get the error "Server
unexpectedly closed network connection" which has probably to do with this.
I have Cygwin and Puty installed, but don't know where to start.
Thanks in advance,
Wim
> _______________________________________________
> dev-l10n mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-l10n
>
>
Can someone point out how to handle this on a Windows 8.1 platform?
Right now when I try to sync e a local repository, I get the error "Server
unexpectedly closed network connection" which has probably to do with this.
I have Cygwin and Puty installed, but don't know where to start.
Thanks in advance,
Wim
> dev-l10n mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-l10n
>
>
Michal Stanke
Apr 7, 2016, 3:04:56 AM4/7/16
to Fjoerfoks, dev-l10n
Hi Wim.
Do you get the same error on both Putty and Cygwin? I think together with
this change also DSA keys has been deprecated. Do you have DSA or RSA key?
--
Michal Stanke
2016-04-06 22:59 GMT+02:00 Fjoerfoks <fryske...@gmail.com>:
> Hi all,
>
> Can someone point out how to handle this on a Windows 8.1 platform?
> Right now when I try to sync e a local repository, I get the error "Server
> unexpectedly closed network connection" which has probably to do with this.
> I have Cygwin and Puty installed, but don't know where to start.
>
> Thanks in advance,
> Wim
>
> 2016-04-01 0:08 GMT+02:00 Axel Hecht <l1...@mozilla.com>:
>
Do you get the same error on both Putty and Cygwin? I think together with
this change also DSA keys has been deprecated. Do you have DSA or RSA key?
--
Michal Stanke
2016-04-06 22:59 GMT+02:00 Fjoerfoks <fryske...@gmail.com>:
> Hi all,
>
> Can someone point out how to handle this on a Windows 8.1 platform?
> Right now when I try to sync e a local repository, I get the error "Server
> unexpectedly closed network connection" which has probably to do with this.
> I have Cygwin and Puty installed, but don't know where to start.
>
> Thanks in advance,
> Wim
>
> 2016-04-01 0:08 GMT+02:00 Axel Hecht <l1...@mozilla.com>:
>
Fjoerfoks
Apr 7, 2016, 3:12:35 AM4/7/16
to Michal Stanke, dev-l10n
Hi Michal,
I haven't used it with Putty or Cygwin. I received the error in Tortoise HG.
For the authenticationkey I have Pageant running in the background.
I think I have a RSA-key.
I am looking for a step by step instruction on how to get the new key
activated in Windows 8.1.
Wim
2016-04-07 9:04 GMT+02:00 Michal Stanke <mst...@mozilla.cz>:
> Hi Wim.
>
> Do you get the same error on both Putty and Cygwin? I think together with
> this change also DSA keys has been deprecated. Do you have DSA or RSA key?
>
> --
> Michal Stanke
>
> 2016-04-06 22:59 GMT+02:00 Fjoerfoks <fryske...@gmail.com>:
>
>> Hi all,
>>
>> Can someone point out how to handle this on a Windows 8.1 platform?
>> Right now when I try to sync e a local repository, I get the error "Server
>> unexpectedly closed network connection" which has probably to do with
>> this.
>> I have Cygwin and Puty installed, but don't know where to start.
>>
>> Thanks in advance,
>> Wim
>>
>> 2016-04-01 0:08 GMT+02:00 Axel Hecht <l1...@mozilla.com>:
>>
I haven't used it with Putty or Cygwin. I received the error in Tortoise HG.
For the authenticationkey I have Pageant running in the background.
I think I have a RSA-key.
I am looking for a step by step instruction on how to get the new key
activated in Windows 8.1.
Wim
2016-04-07 9:04 GMT+02:00 Michal Stanke <mst...@mozilla.cz>:
> Hi Wim.
>
> Do you get the same error on both Putty and Cygwin? I think together with
> this change also DSA keys has been deprecated. Do you have DSA or RSA key?
>
> --
> Michal Stanke
>
> 2016-04-06 22:59 GMT+02:00 Fjoerfoks <fryske...@gmail.com>:
>
>> Hi all,
>>
>> Can someone point out how to handle this on a Windows 8.1 platform?
>> Right now when I try to sync e a local repository, I get the error "Server
>> unexpectedly closed network connection" which has probably to do with
>> this.
>> I have Cygwin and Puty installed, but don't know where to start.
>>
>> Thanks in advance,
>> Wim
>>
>> 2016-04-01 0:08 GMT+02:00 Axel Hecht <l1...@mozilla.com>:
>>
Michal Stanke
Apr 7, 2016, 3:29:28 AM4/7/16
to Fjoerfoks, dev-l10n
TortoiseHG uses Pageant, which should be part of the whole Putty package.
You should look where does Putty stores known_hosts, maybe
http://superuser.com/questions/197489/where-does-putty-store-known-hosts-information-on-windows
will help.
--
Michal Stanke
You should look where does Putty stores known_hosts, maybe
http://superuser.com/questions/197489/where-does-putty-store-known-hosts-information-on-windows
will help.
--
Michal Stanke
Axel Hecht
Apr 7, 2016, 3:47:30 AM4/7/16
to
On 07/04/16 09:12, Fjoerfoks wrote:
> Hi Michal,
>
> I haven't used it with Putty or Cygwin. I received the error in Tortoise HG.
> For the authenticationkey I have Pageant running in the background.
> I think I have a RSA-key.
thg apparently uses an OLD version of plink/putty, and is in dire need
> Hi Michal,
>
> I haven't used it with Putty or Cygwin. I received the error in Tortoise HG.
> For the authenticationkey I have Pageant running in the background.
> I think I have a RSA-key.
to update that in a new release.
https://bitbucket.org/tortoisehg/thg/issues/4476/tortoiseplink-needs-to-be-updated-to-v067
is one of the upstream tickets.
Workaround for now, I guess: Update your mozillabuild (they also needed
an update, IIRC), and use the command line hg that comes with it.
Axel
Fjoerfoks
Apr 7, 2016, 4:04:36 AM4/7/16
to Axel Hecht, dev-l10n
Ah Axel, that seems right, I will try it tomorrow.
Thanks,
Wim
Thanks,
Wim
Vanja Tumbas
Apr 14, 2016, 10:21:52 AM4/14/16
to Fjoerfoks, Axel Hecht, dev-l10n
Hey folks
This mail is for localizers that have Windows and use TortoiseHG and
Pageant to push their localizations to hg repos.
After hitting my head against a wall for hours I finally managed to resolve
"Server unexpectedly closed network connection" error.
*Warning: This steps worked for me, I am not held responsible if something
goes wrong in your case.*
*Steps that I did:*
- Update to newest version of TortoiseHG (not sure if this one is needed
but do it just in case)
- Download the newest version of PuTTYgen and run it
- For type of key choose RSA and change the bit value to 4096. After that
press Generate.
- Generated string of characters is your public key and you need to
copy/paste it to your ldap <http://login.mozilla.com> account. (SSH keys
section / upload button)
- In PuTTYgen press the "Save public key" and "Save private key" buttons to
save your keys
- Open Pageant and import your private key that you just created
- Open TortoiseHg Workbench
- Open File / Settings and make sure that global settings tab is selected
- Press "Edit File" button and add the following line to [ui] section right
under your username: *ssh = "TortoisePlink.exe" -ssh -2 -batch -C*
- After this try to clone or pull and you will get a big security warning.
Don't get scared its ok. Basically it's telling you that host has changed
and you just need to verify that fingerprint matches the new one (check
original post).
- If everything checks out just confirm that its ok by pressing yes button
and you should be able to continue doing your amazing work.
Cheers! :)
On Thu, Apr 7, 2016 at 9:57 AM, Fjoerfoks <fryske...@gmail.com> wrote:
> Ah Axel, that seems right, I will try it tomorrow.
>
> Thanks,
> Wim
>
This mail is for localizers that have Windows and use TortoiseHG and
Pageant to push their localizations to hg repos.
After hitting my head against a wall for hours I finally managed to resolve
"Server unexpectedly closed network connection" error.
*Warning: This steps worked for me, I am not held responsible if something
goes wrong in your case.*
*Steps that I did:*
- Update to newest version of TortoiseHG (not sure if this one is needed
but do it just in case)
- Download the newest version of PuTTYgen and run it
- For type of key choose RSA and change the bit value to 4096. After that
press Generate.
- Generated string of characters is your public key and you need to
copy/paste it to your ldap <http://login.mozilla.com> account. (SSH keys
section / upload button)
- In PuTTYgen press the "Save public key" and "Save private key" buttons to
save your keys
- Open Pageant and import your private key that you just created
- Open TortoiseHg Workbench
- Open File / Settings and make sure that global settings tab is selected
- Press "Edit File" button and add the following line to [ui] section right
under your username: *ssh = "TortoisePlink.exe" -ssh -2 -batch -C*
- After this try to clone or pull and you will get a big security warning.
Don't get scared its ok. Basically it's telling you that host has changed
and you just need to verify that fingerprint matches the new one (check
original post).
- If everything checks out just confirm that its ok by pressing yes button
and you should be able to continue doing your amazing work.
Cheers! :)
On Thu, Apr 7, 2016 at 9:57 AM, Fjoerfoks <fryske...@gmail.com> wrote:
> Ah Axel, that seems right, I will try it tomorrow.
>
> Thanks,
> Wim
>
Fjoerfoks
Apr 14, 2016, 1:30:37 PM4/14/16
to Vanja Tumbas, Axel Hecht, dev-l10n
This was still on my list to mention to this group.
My process eventually was much quicker.
I started Putty, typed in hg.mozilla.org and hit "Open" after which you
receive the warning
change the Plink within TortoiseHG.
Hope it helps others, especially with the late changes.
Wim
My process eventually was much quicker.
I started Putty, typed in hg.mozilla.org and hit "Open" after which you
receive the warning
that host keys have changed and refuse to connect until
accepting/trusting the new host key.
After accepting I was able to push and pull again with TortoiseHG. I did
accepting/trusting the new host key.
change the Plink within TortoiseHG.
Hope it helps others, especially with the late changes.
Wim
0 new messages