From: "Frank Ch. Eigler" <fche@elastic.org>
To: Overseers mailing list <overseers@sourceware.org>
Subject: Re: ssh key conflicts
Date: Fri, 22 May 2020 11:09:35 -0400 [thread overview]
Message-ID: <20200522150935.GI99851@elastic.org> (raw)
In-Reply-To: <ed53ccca-d52b-57f9-239a-97c7d0b875a0@gmail.com>
Hi -
> Lately, every time after I do git pull from glibc and I git pull
> gcc I get this:
> Warning: the RSA host key for
> 'gcc.gnu.org' differs from the key for the IP address '8.43.85.97'
> Offending key for IP in /home/msebor/.ssh/known_hosts:18
> Matching host key in /home/msebor/.ssh/known_hosts:1
> Are you sure you want to continue connecting (yes/no)?
BTW, glibc is not formally a gcc.gnu.org repository.
> So I go and delete the offending key, but the next time I pull
> the warning is back, and unless I delete the offending key I get:
I expect those were different warnings, perhaps from multiple
different generations.
> Connection closed by 8.43.85.97 port 22
> fatal: Could not read from remote repository.
> Please make sure you have the correct access rights
> and the repository exists.
That would be a totally different problem, maybe the wrong User name?
> After I do delete it I can pull gcc fine but when I try to pull
> glibc I get this:
>
> The authenticity of host 'sourceware.org (8.43.85.97)' can't be established.
> ECDSA key fingerprint is SHA256:4bqfulMjMg7/L/38MJBw7mVMMu6EH+3MgMitrCRdFho.
That should be a one-time thing. The ssh key fingerprints are also in
the sourceware.org DNS so an ssh client can verify it.
echo "VerifyHostKeyDNS yes" >> .ssh/config
Sourceware's DNS is DNSSEC protected .... so this should work quietly
and smoothly but:
> This didn't use to happen. [...]
.... I wonder if you're noticing this from inside the RH VPN. Some
DNS servers we use ("infoblox", whatever that is) apparently have
problems with DNSSEC or EDNS or some such thing, and IT has
selectively disabled some parts of this for sourceware.org to work
around the infoblox OS bugs. So it could be that your ssh client is
noticing this RH-internal breakage. There are some other RH DNS
servers running linux that don't have this problem; maybe try one
of them (e.g. 10.15.24.173) in your /etc/resolv.conf.
Anyway, ignore the warnings and/or drop the old key records it's
complaining about, and things should be fine.
- FChE
next prev parent reply other threads:[~2020-05-22 15:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 14:46 Martin Sebor
2020-05-22 15:09 ` Frank Ch. Eigler [this message]
2020-05-22 15:31 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200522150935.GI99851@elastic.org \
--to=fche@elastic.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).