gitorious.org key changes

23 views
Skip to first unread message

Johan Sørensen

unread,
May 13, 2008, 6:12:35 PM5/13/08
to gito...@googlegroups.com
Everyone,

In light of the Debian OpenSSL security issue
(http://lists.debian.org/debian-security-announce/2008/msg00152.html)
I've regenerated the server keys, even though they weren't affected
according to the tools provided by the debian folks to check if the
keys where blacklisted. Better safe than sorry and all that.

The new key fingerprints are:
67:fc:12:1f:e6:23:42:c7:9e:be:8a:2b:40:63:32:c3 (dsa)
49:60:1f:71:90:8b:cc:48:a2:29:f8:a2:3a:1a:53:43 (rsa)

When you try to push you'd see a message like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)! It is also possible that the RSA host key has just been
changed.

Remove gitorious.org from your ~/.ssh/known_hosts and on the next push
check that the fingerprints match the above, and accept if they do.

Thank you for your understanding.

- Johan

David Planella

unread,
May 14, 2008, 1:32:12 AM5/14/08
to Gitorious
Hi Johan,

ever since this upgrade I cannot do any fetch or push operations on my
public repo.

I started experiencing this last evening, when all of a sudden such
operations started prompting for a password. Even after entering the
correct password, the prompt appeared again and again.

I tried removing and adding my ssh key at gitorious a couple of times,
but that did not help.

This morning I tried again and this time I saw the warning notice you
are mentioning on your post. I then removed the old gitorious.org
fingerprints and added the new ones, which worked. The problem is that
even after doing that, I keep getting a password prompt on the command
line every time I try to fetch or push.

I have deleted and re-added my (RSA) key at gitorious once more, but
this did not seem to change anything.

I'm using SSH, version OpenSSH_4.6p1 Debian-5ubuntu0.4, OpenSSL 0.9.8e
23 Feb 2007

Any help will be appreciated. Thanks.

Regards,
David.

Jim Whitehead

unread,
May 14, 2008, 3:19:31 AM5/14/08
to Gitorious
I am experiencing the exact same issue with a prompt for
g...@gitorious.org's password on each push operation

On May 14, 6:32 am, David Planella <david.plane...@googlemail.com>
wrote:

Johan Sørensen

unread,
May 14, 2008, 3:19:47 AM5/14/08
to gito...@googlegroups.com
On Wed, May 14, 2008 at 7:32 AM, David Planella
<david.p...@googlemail.com> wrote:
>
> Hi Johan,
>
> ever since this upgrade I cannot do any fetch or push operations on my
> public repo.
>
> I started experiencing this last evening, when all of a sudden such
> operations started prompting for a password. Even after entering the
> correct password, the prompt appeared again and again.

The SSH daemon was upgraded around that time.


> I have deleted and re-added my (RSA) key at gitorious once more, but
> this did not seem to change anything.
>
> I'm using SSH, version OpenSSH_4.6p1 Debian-5ubuntu0.4, OpenSSL 0.9.8e
> 23 Feb 2007

What's your key fingerprint? There's a couple that's been blacklisted
because if the debian issue. Have you regenerated your keys according
to the debian/ubuntu security advisory (see
http://www.ubuntu.com/usn/usn-612-2)? I strongly encourage any Debian
and Ubuntu users to that.

>
> Regards,
> David.

Cheers,
JS

David Planella

unread,
May 14, 2008, 12:27:42 PM5/14/08
to Gitorious
In the end, after reading http://www.ubuntu.com/usn/usn-612-2 I went
ahead with the "If in doubt, destroy the key and generate a new one."
advice.

So I destroyed my old key, generated a new one and uploaded it to
gitorious.

Now I can work with my repo, although there are a couple of issues:

* 'git push' _always_ prompts for a password (ok, so far)
* 'git fetch' _always_ prompts for a password *twice*
* 'git pull' _always_ prompts for a password *twice*

I do not know whether they are part of the normal behaviour, but in
any case I did not experience them before the openssh upgrade.

Regards,
David.

David Planella

unread,
May 14, 2008, 12:48:00 PM5/14/08
to Gitorious
The issues are now solved. As someone else pointed out, I had
forgotten to add the new identity to the ssh-agent with 'ssh-add'.

On 14 Maig, 18:27, David Planella <david.plane...@googlemail.com>
wrote:
> In the end, after readinghttp://www.ubuntu.com/usn/usn-612-2I went

Andy Chambers

unread,
May 27, 2008, 5:52:57 PM5/27/08
to Gitorious
On May 13, 11:12 pm, "Johan Sørensen" <jo...@johansorensen.com> wrote:
> Everyone,
>
> Remove gitorious.org from your ~/.ssh/known_hosts and on the next push
> check that the fingerprints match the above, and accept if they do.

I followed the instructions above but am still unable to push.

I get prompted for git@gitorious's password.

Any clues as to what I'm doing wrong?

Cheers,
Andy

priit....@gmail.com

unread,
Jun 6, 2008, 1:58:00 AM6/6/08
to Gitorious
Andy Chambers wrote:
Hi Andy!

I just did push to new project and everything was working in my case.
Just in case asking, check over:

* did you uploaded your own newly generated public key to gitorious?
* did you delete old gitorious public key from your machine at ~/.ssh/
known_hosts (i deleted all this file and just got new public keys
again)

Cheers,
Priit
Reply all
Reply to author
Forward
0 new messages