Hi,
I wanted to login on gluck today and stumbled on that:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ca:59:44:a0:0d:9e:5c:45:39:2b:a0:75:9a:d4:45:fe.
Please contact your system administrator.
[...]
OK. This is probably caused by the reinstallation mentioned on
http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html.
But replacing an ssh key is not something to take lightly, IMHO.
Right, I can compare the advertised fingerprint with that published on:
https://db.debian.org/machines.cgi?host=gluck
Both are identical. But:
1. There is also:
* Entry created: 0000/00/00 00:00:00 UTC
* Entry modified: 0000/00/00 00:00:00 UTC
which is not reassuring.
2. Even worse, the page has:
Last Modified: Tue, Feb 1 19:13:06 UTC 2005
which is *way before* the compromize. Ugh.
2. I have to trust the integrity of db.debian.org.
I think it would be much better if someone from debian-admin would be so
kind to GPG-sign the public RSA keys of Debian hosts. This way, I'd only
have to trust that James Troup and Martin Schulze[1] take good care of
their GPG keys.
That would make me more comfortable replacing my current entry for gluck
in ~/.ssh/known_hosts.
Thoughts? Does that already exist and I missed it? (Google didn't help)
Thanks.
[1] Or any other person in charge of the machines, the point being,
*few* of them, and people I really have to trust when using Debian
anyway.
--
Florent
Attachment:
pgpidbVkG8FYd.pgp
Description: PGP signature