Server SSH fingerprint mismatch
Luciano Carvalho
Shawn Pearce
> I just have a new instance of Gerrit running, but users are not able to repo
> sync from it due to a SSH issue.
>
> Consider the scenario:
> - If I go to Gerrit -> Settings -> SSH Keys, I'll see fingerprint-A, and my
> server's RSA key-A
> - If I go to /etc/ssh, I'll see a fingerprint-B and a different RSA key (B)
>
> When I do "repo init", it adds the RSA key-A (the one from Gerrit) to my
> known_hosts file.
>
> Then, when I do "repo sync" it tries to add RSA key-B to the known_hosts
> file and it throws me the error below:
Your manifest must be using URLs that point to ssh://host/ and not to
ssh://host:port/. So its trying to contact the system SSH server, and
that's a different host key.
> Add correct host key in /home/.../.ssh/known_hosts to get rid of this
> message.
> Offending key in /home/.../.ssh/known_hosts:1
Odd. The records in that file are supposed to use port
numbers, so they disambiguate their identities. E.g.
for review.source.android.com I have:
[review.source.android.com]:29418,[r.android.com]:29418,[140.211.167.229]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq0dre0S2WsKfBrK8p+VQZtYKh2BzxWfzJfAbgVY5OgKrxP2Tuo67GXfcjRmmBErJ39+eJNO6e+AoJSO2BEfTNqsGqvZiafsjMN995WG0qfKFQnM2Gsc2qLVFA4htSRno2wh5xKXyWFY+FNJp+HHgISoZWnGTCWItQDf/BgSpKTUnpMHYkvqmwnZ6rSf5Us/ppkC8OtH62YIoAWByrSghonUEyXjtARvDMQ8cmVgxvtMSJm/aNqHPwEHa4nxI5QEcglgj8N+y5wRzsSmaT+zfbtl6p5vcbZHZGk5wWw71aKBltfbAyF7AIrlXZoSt9GrIjHAEcl6trIJ/I8xqZBu6Iw==
Notice the :29418 suffix to disambiguate this record from
another one for the default port 22...
Luciano Carvalho
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
Shawn Pearce
> I'm in the middle of a huge transition to Gerrit right now and I was trying
> to keep everything as it was.
>
> So, users would just have to add ` [url "ssh://server:29418/"] insteadOf
> ssh://server/ ` to their .gitconfig and they would be good to go with the
> same init/sync commands, to make the transition smoother
>
> I was inferring repo would replace the URLs as well... Shouldn't it?
Yes, it should have. I don't know why this would confuse SSH with
the host key matching, Git should have used `ssh -p 29418 server`
because of the rewrite.
Maybe the user had server already configured with a Host block in
~/.ssh/config and the whole matching process just fell apart between
the port number in ~/.ssh/config and the port on the command line?
> Well, I'm glad it is a simple manifest change and won't require the users to
> change anything locally.
I _think_ that's the problem. Clearly your SSH client is having
some issues though. Maybe you can use ps to see what arguments,
exactly, Git is being fed by repo and is feeding down into SSH to
better understand what is going wrong.
> BTW:. Thanks for the query to make the user import!! I just had to change
> some details to make it work on MySQL and to deal with the "seq" for the
> keys table, then imported 1.5K users and about 2K public keys.
Sure, glad to hear it worked out.
Luciano Carvalho
--
Shawn Pearce
> Same issue happened when I did repo sync. It looks like repo is not
> replacing the URL before it goes to the server.
> Could it be a potential bug? Do you want me to file a bug against it?
Sure, that does sound like a bug in repo. I can't promise it will be
fixed anytime soon, but at least documenting we know this is a problem
would be good.
Luciano Carvalho
--
Shawn Pearce
> What's the link to the bug tracking system, please?
http://code.google.com/p/git-repo/issues/list