Re: [Savannah-hackers-public] new vcs server ssh host key fingerprint

[Bob Proulx]

Hello Mike,

Mike Miller wrote:
> Please cc me in replies, I am not subscribed.
...
> In a previous thread on this list, I see discussion of moving to the new
> server with new ssh host keys, but I haven't been able to find an actual
> fingerprint published anywhere.

The discussion about ssh host keys is:

  
http://lists.gnu.org/archive/html/savannah-hackers-public/2016-10/msg00021.html
  
http://lists.gnu.org/archive/html/savannah-hackers-public/2016-10/msg00022.html
  
http://lists.gnu.org/archive/html/savannah-hackers-public/2016-11/msg00000.html

Because of the flexibility to be able to switch back and forth while
working on the various version control systems we went with option 3
described there.  (And we have used that capability a few times
already.)  I cloned the old host keys onto the new system.  Therefore
if you have the hostnames in your known_hosts for the previous system
you should not get a key change warning using the same hostname on the
new system.  If your ssh warns on IP address changes that will be the
only difference.

However once the migration is complete, still some ways off, we plan
on regenerating new host keys of a longer length.  The previous keys
are 1024 bits long and certainly longer keys are desirable today.

In the meantime if you clear your entry for a service on the new host
then upon connecting again your ssh client should negotiate the newer
key ciphers.

> Can you post the new server's fingerprint, preferably both the md5 and
> sha256 fingerprints, or point me to where they are posted?

1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 (RSA)
256 65:b8:1c:2f:82:7c:0e:39:e1:4a:63:f2:13:10:e8:9c (ECDSA)
256 14:7b:c8:98:dd:06:08:97:8c:00:9d:d2:ae:85:c8:82 (ED25519)

1024 SHA256:FYkx0iik+iBeCLRzvUyUSTRT98TEBBJoYuQsTXbyGL8 (RSA)
256 SHA256:qRLLJ4w/GAeiDyYnbx4yWJbZXwGiYYxgNty7lAfUyuM (ECDSA)
256 SHA256:o/oI4CKKcWc4cZvDFEdmOXsE3tiPP8bWa04h4bQjtV4 (ED25519)

hg.savannah.gnu.org ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAIEAzFQovi+67xa+wymRz9u3plx0ntQnELBoNU4SCl3RkwSFZkrZsRTC0fTpOKatQNs1r/BLFoVt21oVFwIXVevGQwB+Lf0Z+5w9qwVAQNu/YUAFHBPTqBze4wYK/gSWqQOLoj7rOhZk0xtAS6USqcfKdzMdRWgeuZ550P6gSzEHfv0=
hg.savnnah.gnu.org ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP9c1Z2f4OHxymvLxqxQ/hY1g0ol0/iiXUrVFGZBBq4h5gD05c7Gw9rRrcrvF9XvumBvOghOQzDSZZLRWvFGocA=
hg.savannah.gnu.org ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIMnMLHxGS/b6Su98mL/J58FkpEJY/X1mONqhPBuFX5sJ

The RSA key is the same on both servers.  The old server does not have
the newer ciphers.

> Eventually it would be good to update
> https://savannah.gnu.org/maintenance/SshAccess/, but I understand this
> migration is still a work in progress.

Agreed.  Unfortunately the documentation in general is a garget rich
environment for improvement.  The documentation is definitely an area
where anyone could jump in and help significantly.

Bob

signature.asc
Description: PGP signature