We also changed the SSH server config to only support the "modern" set of ciphers, MACs, algorithms, etc from https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern. If you are running an old SSH client, it may not be able to connect.
If you encounter problems connecting, complain in #vcs with a link to pastebinned `ssh -v` output so we can see what your client supports so we may consider adding legacy support on the server as a stop-gap. But upgrading your SSH client to something that supports modern crypto is highly preferred. More and more Mozilla systems will be adopting these "modern" SSH server settings. So you'll have to upgrade sometime. On Mon, Apr 4, 2016 at 8:36 AM, Gregory Szorc <g...@mozilla.com> wrote: > This change was just made (we delayed because we didn't want to take > extra risks on a Friday afternoon). > > A GPG signed document detailing the current keys is available at > > https://hg.mozilla.org/hgcustom/version-control-tools/raw-file/tip/docs/vcs-server-info.asc > > On 3/31/16 2:39 PM, Gregory Szorc wrote: > > This message serves as a notice that the *SSH host keys* for > > hg.mozilla.org will be rotated in the next ~24 hours. > > > > When connecting to hg.mozilla.org over SSH, your SSH client should warn > > that host keys have changed and refuse to connect until > > accepting/trusting the new host key. After 1st host key verification > > failure: > > > > 1) `ssh-keygen -R hg.mozilla.org` to remove the old host key > > 2) `ssh hg.mozilla.org` and verify the fingerprint of the new key > > matches one of the following: > > > > 256 SHA256:7MBAdqLe8+aSYkv+5/2LUUxd+WdgYcVSV+ZQVEKA7jA hg.mozilla.org > > (ED25519) > > 256 SHA1:Ft++OU96cvaREKNFCJ6AiuCpGac hg.mozilla.org (ED25519) > > 256 MD5:96:eb:3b:78:f5:ca:19:e2:0c:a0:95:ea:04:28:7d:26 hg.mozilla.org > > (ED25519) > > > > 4096 SHA256:RX2OK8A1KNWdxyu6ibIPeEGLBzc5vyQW/wd7RKjBehc hg.mozilla.org > (RSA) > > 4096 SHA1:p2MGe4wSw8ZnQ5J9ShBk/6VA+Co hg.mozilla.org (RSA) > > 4096 MD5:1c:f9:cf:76:de:b8:46:d6:5a:a3:00:8d:3b:0c:53:77 hg.mozilla.org > > (RSA) > > > > Q: What host key types were changed? We dropped the DSA host key and > > added a ED25519 host key. The length of the RSA key has been increased > > from 2048 to 4096 bits. > > > > Q: Does this impact connections to https://hg.mozilla.org/? No. The x509 > > certificate to the https:// endpoint is remaining unchanged at this > time. > > > > Q: Why is this being done? We are modernizing the server infrastructure > > of hg.mozilla.org. As part of this, we're bringing the hosts in > > compliance with Mozilla's SSH security guidelines > > (https://wiki.mozilla.org/Security/Guidelines/OpenSSH). > > > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
