Migration SSH/fingerprint errors

[Furosh One]

Perhaps this isn't so much a gerrit issue, although I found someone posted a bug with a similar issues, but a SSH issue with the move from our Old server to the New server (which is still being testing) a user ran into the SSH/Fingerprint mismatch issue trying to do a full dev cycle.

I'm guessing he had a checked out repo from Old server and tried to use New server (just guessing).
Is this a user error?

Do you know what I can do to match the ssh key from Old server to New server so others don't run into this issue??

I believe there are things a user can do to resolve this but this user said providing other users steps in the past has not been successful because not everyone will resolve their issues or run into other issues on a per-user basis. =/

From user:
===========
I decided to try the full dev cycle using the new gerrit, and hit the ssh key issue:

repo init -u ssh://newserver.wrs.com:29418/ssiafp/platform/ssimanifest.git -b froyoa-omapzoom
repo sync

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
58:73:88:25:xx:xx:xx:xx:xx:xx:xx:xx:xx...
Please contact your system administrator.

Could you please make the ssh key of gerrit match that of ala-limo?
Otherwise we'll have to explain the .ssh/config  workaround to all users (and that's proven to be a waste of time in the past).

Thanks,
===========

[Furosh One]

2010/7/27 Martin Fick <c_m...@quicinc.com>

Not sure if this is the official way, but I always just:

  cp <old>/etc/ssh_* <new>/etc

-Martin

I guess that would do it, then I can erase any existing information about this server's name out of my ~/.ssh/known_hosts file and reconnect to it.
Most users have not connected to it other than the 2 testers, so doing this before hand should help the new users who will be cut-over to the new server.
I'll try this...
-FuRoSh...

[Furosh One]

On Tue, Jul 27, 2010 at 11:24 AM, Digioia, MichaelX <michaelx...@intel.com> wrote:

Related to this  - maybe you know why I can’t open a connection to my auth agent when I do ssh-add? This is used to create a key with “ssh-keygen” then add it to the server.

Are you trying to use gitolite by chance? Or just regular passwordless ssh connections?

You can try using this:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub name@server

Or if you have root access to the server you can also add the rsa_id.pub key to the server's .ssh/known_host file manually.

If you're using gitolite, you may need to remove the entries that exist for that server in your ~/.ssh/known_hosts file.

Hope this helps...

-FuRoSh.

[Furosh One]

Does Gerrit use a separate proprietary SSH connection mechanism or server/service other than what the server SSH does???

Because I explained to the user requesting this change from me that there should be two ways to handle his request but both seem to require changes from the users to delete an entry in their ~/.ssh/known_hosts file.

I explained this to the user:
======================

There are two ways I know how to resolve this are:

1)      User-side, remove any new-server* entries out of their ~/.ssh/known_hosts file and simply reconnect to it.

2)      Copy the old-server:/etc/ssh/* onto new-server:/etc/ssh/*.

It looks like you’re proposing to do number (2) and this implies that  any users who currently has “Permanently added new-server to known_hosts”, if they re-connect to new-server after this change they will receive the same error about :

 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 

They will still be required to remove new-server out of ~/.ssh/known_hosts file. Even if they’re not accessing Gerrit but simply have connected to it in the past.

=======================


Am I missing something here because the user thinks Gerrit uses something else for SSH?

-FuRoSh...

[Furosh One]

I'm a bit puzzled on this one. I can't seem to find the correct fingerprint on the server that I'm getting when trying to connect to the server with.

Perhaps someone can tell me either easiest way to resolve my original question or tell me where does the Gerrit UI get the 
Settings / SSH Keys: Server Host Keys from?

[new-server.mydomain.com]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyo8+\

<truncated>==

I can't seem to find a match for this key anywhere =/

-g

[Furosh One]

Okay I think I found it. I was able to find the ssh message about adding fingerprint and also the matching fingerprint from the Gerrit UI on both old and new servers here.

Old server running version_nbr "14": /home/gerrit/.ssh/known_hosts

New server running version_nbr "35": /home/gerrit2/review_site/etc/ssh_host_rsa_key.pub

Is this right? I can't find the actual pub key though on old server =/ like I can on new server. hmm...

I'm assuming it has to reside somewhere unless the fact that its just old and might be configured/setup differently due to the version its running.

Almost there...

[Furosh One]

Anyone else know what can be copied from old sever to new server to avoid receiving the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" messages?

[Shawn Pearce]

On Wed, Jul 28, 2010 at 09:43, Furosh One <fur...@gmail.com> wrote:
>
> Anyone else know what can be copied from old sever to new server to avoid
> receiving the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" messages?

We already told you. Copy the ssh_host_* files from the old server's
directory to the new server's etc/ subdirectory, replacing the
ssh_host_* files that were generated during init.

[Furosh One]

Okay thanks. Just to clarify, after doing this change any user who currently connects to to the new server will get the "WARNING" message and edit their known_hosts file? I'm guessing it will because users do ssh (22) directly to it right now.

The person requesting this seems to think Gerrit handles ssh differently:

> On 07/27/2010 11:46 AM, End-User1 wrote:

> I think gerrit runs its own ssh server with its own ssh host key. This host key is different from the host key people use to log > into ala-serv1 (outside of gerrit, on port 22).  I'd like to make both keys the same (copy ala-serv1:/etc/ssh/ssh_host*key* to > wherever gerrit stores its keys).

I just want to be able to let him know this isn't the case...

thanks for your patience with me =D

[Shawn Pearce]

On Wed, Jul 28, 2010 at 14:01, Furosh One <fur...@gmail.com> wrote:
>
> Okay thanks. Just to clarify, after doing this change any user who currently
> connects to to the new server will get the "WARNING" message and edit their
> known_hosts file? I'm guessing it will because users do ssh (22) directly to
> it right now.

Yes.

> The person requesting this seems to think Gerrit handles ssh differently:
>
>> On 07/27/2010 11:46 AM, End-User1 wrote:
>
>> I think gerrit runs its own ssh server with its own ssh host key. This
>> host key is different from the host key people use to log > into ala-serv1
>> (outside of gerrit, on port 22).  I'd like to make both keys the same (copy
>> ala-serv1:/etc/ssh/ssh_host*key* to > wherever gerrit stores its keys).
>
> I just want to be able to let him know this isn't the case...

End-User1 is right. Gerrit runs its own SSH server, with its own host
key. His instructions to make them the same are correct, assuming you
installed the Bouncy Castle Crypto library. (The library is required
to read the same key format that OpenSSH uses.)