FYI.
Subject: | Upcoming SSH Host Key Rotation for hg.mozilla.org |
---|---|
Date: | Thu, 31 Mar 2016 14:39:15 -0700 |
From: | Gregory Szorc <gsz...@mozilla.com> |
To: | dev-versi...@lists.mozilla.org, dev-platform <dev-pl...@lists.mozilla.org>, Firefox Dev <firef...@mozilla.org>, release-e...@lists.mozilla.org |
This message serves as a notice that the *SSH host keys* for hg.mozilla.org will be rotated in the next ~24 hours. When connecting to hg.mozilla.org over SSH, your SSH client should warn that host keys have changed and refuse to connect until accepting/trusting the new host key. After 1st host key verification failure: 1) `ssh-keygen -R hg.mozilla.org` to remove the old host key 2) `ssh hg.mozilla.org` and verify the fingerprint of the new key matches one of the following: 256 SHA256:7MBAdqLe8+aSYkv+5/2LUUxd+WdgYcVSV+ZQVEKA7jA hg.mozilla.org (ED25519) 256 SHA1:Ft++OU96cvaREKNFCJ6AiuCpGac hg.mozilla.org (ED25519) 256 MD5:96:eb:3b:78:f5:ca:19:e2:0c:a0:95:ea:04:28:7d:26 hg.mozilla.org (ED25519) 4096 SHA256:RX2OK8A1KNWdxyu6ibIPeEGLBzc5vyQW/wd7RKjBehc hg.mozilla.org (RSA) 4096 SHA1:p2MGe4wSw8ZnQ5J9ShBk/6VA+Co hg.mozilla.org (RSA) 4096 MD5:1c:f9:cf:76:de:b8:46:d6:5a:a3:00:8d:3b:0c:53:77 hg.mozilla.org (RSA) Q: What host key types were changed? We dropped the DSA host key and added a ED25519 host key. The length of the RSA key has been increased from 2048 to 4096 bits. Q: Does this impact connections to https://hg.mozilla.org/? No. The x509 certificate to the https:// endpoint is remaining unchanged at this time. Q: Why is this being done? We are modernizing the server infrastructure of hg.mozilla.org. As part of this, we're bringing the hosts in compliance with Mozilla's SSH security guidelines (https://wiki.mozilla.org/Security/Guidelines/OpenSSH).
This happened.
Axel
Subject: | Re: Upcoming SSH Host Key Rotation for hg.mozilla.org |
---|
Date: | Mon, 4 Apr 2016 08:36:54 -0700 |
---|---|
From: | Gregory Szorc <g...@mozilla.com> |
To: | Gregory Szorc <gsz...@mozilla.com>, dev-versi...@lists.mozilla.org, dev-platform <dev-pl...@lists.mozilla.org>, Firefox Dev <firef...@mozilla.org>, release-e...@lists.mozilla.org |
This change was just made (we delayed because we didn't want to take extra risks on a Friday afternoon). A GPG signed document detailing the current keys is available at https://hg.mozilla.org/hgcustom/version-control-tools/raw-file/tip/docs/vcs-server-info.asc
). > _______________________________________________ firefox-dev mailing list firef...@mozilla.org https://mail.mozilla.org/listinfo/firefox-dev