Never mind, I didn't read the comments to the savannah announcement where this was discussed.
Still, the issue with unsigned announcements still exist... Simon Josefsson <[EMAIL PROTECTED]> writes: > "Jaime E. Villate" <[EMAIL PROTECTED]> writes: > >> On Sun, Aug 03, 2003 at 10:43:21PM +0200, Simon Josefsson wrote: >>> If the SSH host key has really changed, I think it would be good to >>> announce it somewhere. Is there a PGP signed announcement channel >>> from the savannah system hackers? I think there should be one. >>> >>> FWIW, the ssh host key appear to have changed from my point of view >>> within the latest 24 hours. >> Yes. I was trying a newer version of ssh and when I downgraded to the original >> version, a new key was generated. Sorry about it. We'll try to post an >> announcemnt. > > I noticed the announcement (thanks), but the key has changed again?! > The key below doesn't match the one in the announcement. > > Also, the announcements aren't signed. If someone is able to attack > savannah in a way that modify RSA host keys, they most likely can add > a unsigned announcement to unprotected HTTP that say the SSH host key > has changed... > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that the RSA1 host key has just been changed. > The fingerprint for the RSA1 key sent by the remote host is > 66:f4:9a:7e:e3:a8:c5:16:d1:88:aa:ef:3e:06:75:30. > Please contact your system administrator. > Add correct host key in /home/jas/.ssh/known_hosts to get rid of this message. > Offending key in /home/jas/.ssh/known_hosts:64 > RSA1 host key for subversions.gnu.org has changed and you have requested strict > checking. > Host key verification failed. > cvs [update aborted]: end of file from server (consult above messages if any) _______________________________________________ Savannah-hackers mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/savannah-hackers
