* ssh key conflicts
@ 2020-05-22 14:46 Martin Sebor
2020-05-22 15:09 ` Frank Ch. Eigler
0 siblings, 1 reply; 3+ messages in thread
From: Martin Sebor @ 2020-05-22 14:46 UTC (permalink / raw)
To: overseers
Lately, every time after I do git pull from glibc and I git pull
gcc I get this:
Warning: the RSA host key for
'gcc.gnu.org' differs from the key for the IP address '8.43.85.97'
Offending key for IP in /home/msebor/.ssh/known_hosts:18
Matching host key in /home/msebor/.ssh/known_hosts:1
Are you sure you want to continue connecting (yes/no)?
So I go and delete the offending key, but the next time I pull
the warning is back, and unless I delete the offending key I get:
Connection closed by 8.43.85.97 port 22
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
After I do delete it I can pull gcc fine but when I try to pull
glibc I get this:
The authenticity of host 'sourceware.org (8.43.85.97)' can't be established.
ECDSA key fingerprint is SHA256:4bqfulMjMg7/L/38MJBw7mVMMu6EH+3MgMitrCRdFho.
This didn't use to happen. I read various suggestions online (in
addition to deleting the offending key as I've been doing also to
add CheckHostIP no in my ~/.ssh/config) but before I use them let
me ask: am I doing something wrong and/or what is the recommended
cure for this in our case?
Thanks
Martin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ssh key conflicts
2020-05-22 14:46 ssh key conflicts Martin Sebor
@ 2020-05-22 15:09 ` Frank Ch. Eigler
2020-05-22 15:31 ` Martin Sebor
0 siblings, 1 reply; 3+ messages in thread
From: Frank Ch. Eigler @ 2020-05-22 15:09 UTC (permalink / raw)
To: Overseers mailing list
Hi -
> Lately, every time after I do git pull from glibc and I git pull
> gcc I get this:
> Warning: the RSA host key for
> 'gcc.gnu.org' differs from the key for the IP address '8.43.85.97'
> Offending key for IP in /home/msebor/.ssh/known_hosts:18
> Matching host key in /home/msebor/.ssh/known_hosts:1
> Are you sure you want to continue connecting (yes/no)?
BTW, glibc is not formally a gcc.gnu.org repository.
> So I go and delete the offending key, but the next time I pull
> the warning is back, and unless I delete the offending key I get:
I expect those were different warnings, perhaps from multiple
different generations.
> Connection closed by 8.43.85.97 port 22
> fatal: Could not read from remote repository.
> Please make sure you have the correct access rights
> and the repository exists.
That would be a totally different problem, maybe the wrong User name?
> After I do delete it I can pull gcc fine but when I try to pull
> glibc I get this:
>
> The authenticity of host 'sourceware.org (8.43.85.97)' can't be established.
> ECDSA key fingerprint is SHA256:4bqfulMjMg7/L/38MJBw7mVMMu6EH+3MgMitrCRdFho.
That should be a one-time thing. The ssh key fingerprints are also in
the sourceware.org DNS so an ssh client can verify it.
echo "VerifyHostKeyDNS yes" >> .ssh/config
Sourceware's DNS is DNSSEC protected .... so this should work quietly
and smoothly but:
> This didn't use to happen. [...]
.... I wonder if you're noticing this from inside the RH VPN. Some
DNS servers we use ("infoblox", whatever that is) apparently have
problems with DNSSEC or EDNS or some such thing, and IT has
selectively disabled some parts of this for sourceware.org to work
around the infoblox OS bugs. So it could be that your ssh client is
noticing this RH-internal breakage. There are some other RH DNS
servers running linux that don't have this problem; maybe try one
of them (e.g. 10.15.24.173) in your /etc/resolv.conf.
Anyway, ignore the warnings and/or drop the old key records it's
complaining about, and things should be fine.
- FChE
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ssh key conflicts
2020-05-22 15:09 ` Frank Ch. Eigler
@ 2020-05-22 15:31 ` Martin Sebor
0 siblings, 0 replies; 3+ messages in thread
From: Martin Sebor @ 2020-05-22 15:31 UTC (permalink / raw)
To: Frank Ch. Eigler, Overseers mailing list
On 5/22/20 9:09 AM, Frank Ch. Eigler wrote:
> Hi -
>
>> Lately, every time after I do git pull from glibc and I git pull
>> gcc I get this:
>
>> Warning: the RSA host key for
>> 'gcc.gnu.org' differs from the key for the IP address '8.43.85.97'
>> Offending key for IP in /home/msebor/.ssh/known_hosts:18
>> Matching host key in /home/msebor/.ssh/known_hosts:1
>> Are you sure you want to continue connecting (yes/no)?
>
> BTW, glibc is not formally a gcc.gnu.org repository.
>
>> So I go and delete the offending key, but the next time I pull
>> the warning is back, and unless I delete the offending key I get:
>
> I expect those were different warnings, perhaps from multiple
> different generations.
>
>
>> Connection closed by 8.43.85.97 port 22
>> fatal: Could not read from remote repository.
>> Please make sure you have the correct access rights
>> and the repository exists.
>
> That would be a totally different problem, maybe the wrong User name?
>
>
>> After I do delete it I can pull gcc fine but when I try to pull
>> glibc I get this:
>>
>> The authenticity of host 'sourceware.org (8.43.85.97)' can't be established.
>> ECDSA key fingerprint is SHA256:4bqfulMjMg7/L/38MJBw7mVMMu6EH+3MgMitrCRdFho.
>
> That should be a one-time thing. The ssh key fingerprints are also in
> the sourceware.org DNS so an ssh client can verify it.
> echo "VerifyHostKeyDNS yes" >> .ssh/config
>
> Sourceware's DNS is DNSSEC protected .... so this should work quietly
> and smoothly but:
>
>> This didn't use to happen. [...]
>
> .... I wonder if you're noticing this from inside the RH VPN. Some
> DNS servers we use ("infoblox", whatever that is) apparently have
> problems with DNSSEC or EDNS or some such thing, and IT has
> selectively disabled some parts of this for sourceware.org to work
> around the infoblox OS bugs. So it could be that your ssh client is
> noticing this RH-internal breakage. There are some other RH DNS
> servers running linux that don't have this problem; maybe try one
> of them (e.g. 10.15.24.173) in your /etc/resolv.conf.
>
> Anyway, ignore the warnings and/or drop the old key records it's
> complaining about, and things should be fine.
That's the part that doesn't help. They're not just warnings but
errors and the only way I could get around one each time was by
deleting the offending key, but that only helped until I pulled
from the other repo.
But I just tried removing all of ~/.ssh/known_hosts and that seems
to have fixed it. Comparing the old broken known_hosts with the new
one shows the bad has these two entries:
8.43.85.97 ssh-rsa ...
sourceware.org ecdsa-sha2-nistp256 ...
while the good one has these (after successfully pulling from both
gcc and glibc):
gcc.gnu.org,8.43.85.97 ecdsa-sha2-nistp256
sourceware.org,8.43.85.97 ecdsa-sha2-nistp256 ...
I always deleted just one key on the line it complained about so
the one that was causing the problem must have been the one with
the ssh-rsa part.
Thanks
Martin
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-22 15:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-22 14:46 ssh key conflicts Martin Sebor
2020-05-22 15:09 ` Frank Ch. Eigler
2020-05-22 15:31 ` Martin Sebor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).