From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by sourceware.org (Postfix) with ESMTPS id 77D663851C00 for ; Fri, 22 May 2020 15:31:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 77D663851C00 Received: by mail-qt1-x82b.google.com with SMTP id v4so8592344qte.3 for ; Fri, 22 May 2020 08:31:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=8P7FT25RJ/O7PHIjVqYITG9AcAmqiJKKLUSDKwBgYFU=; b=SIKYSlZYiwjmALfP7yYKya7pMQ3Z9hTXYvijm5968TEhvSkVhSgtAeGzdTXB5QC6hy k5IOoBn0oJfDlIqTc/I1AQdqAAjcMiEuX/IVWnBUND112DpEj1qHpju8sAz0Z3RZCvg8 mEGUYWEYzGTnBAXCt4XaxV0KeaCogl1qTKttA9TVz95qKadWTnvgVZ9BGTS9/DYVIaUA qqont00eKhR1zXCHRWQZYIFy3WqX+ER3lABRXszyq2RbiCZnQobFaqY5UHsrPoPWFR6L bZu9RDvGjEH0+ix7poKEgVur5Z9uC0fi4+xyrPhni7t0bzQSGnRiOhIoyKfAQauwXGOF 9ysw== X-Gm-Message-State: AOAM532NLDvGo/uA2f0SDserictNKucpVfWkrCdus2zVYDZ56+0FBXK3 wgj8amPGu93WLZHd7C9roUCUBzrd X-Google-Smtp-Source: ABdhPJzT960J0RiQr1Gh9lPdNmg0hFkKetBhc83/qyuZRb7pV7H30XA3MgZXndLfMSDADMKmgxKahw== X-Received: by 2002:ac8:3ae4:: with SMTP id x91mr16390930qte.19.1590161468291; Fri, 22 May 2020 08:31:08 -0700 (PDT) Received: from [192.168.0.41] (174-16-121-251.hlrn.qwest.net. [174.16.121.251]) by smtp.gmail.com with ESMTPSA id y55sm4908006qtb.39.2020.05.22.08.31.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 22 May 2020 08:31:07 -0700 (PDT) Subject: Re: ssh key conflicts To: "Frank Ch. Eigler" , Overseers mailing list References: <20200522150935.GI99851@elastic.org> From: Martin Sebor Message-ID: <7b4ea0a9-fe5c-cb5c-1cd0-ee18bf060c3d@gmail.com> Date: Fri, 22 May 2020 09:31:06 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20200522150935.GI99851@elastic.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: overseers@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Overseers mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 May 2020 15:31:10 -0000 On 5/22/20 9:09 AM, Frank Ch. Eigler wrote: > Hi - > >> Lately, every time after I do git pull from glibc and I git pull >> gcc I get this: > >> Warning: the RSA host key for >> 'gcc.gnu.org' differs from the key for the IP address '8.43.85.97' >> Offending key for IP in /home/msebor/.ssh/known_hosts:18 >> Matching host key in /home/msebor/.ssh/known_hosts:1 >> Are you sure you want to continue connecting (yes/no)? > > BTW, glibc is not formally a gcc.gnu.org repository. > >> So I go and delete the offending key, but the next time I pull >> the warning is back, and unless I delete the offending key I get: > > I expect those were different warnings, perhaps from multiple > different generations. > > >> Connection closed by 8.43.85.97 port 22 >> fatal: Could not read from remote repository. >> Please make sure you have the correct access rights >> and the repository exists. > > That would be a totally different problem, maybe the wrong User name? > > >> After I do delete it I can pull gcc fine but when I try to pull >> glibc I get this: >> >> The authenticity of host 'sourceware.org (8.43.85.97)' can't be established. >> ECDSA key fingerprint is SHA256:4bqfulMjMg7/L/38MJBw7mVMMu6EH+3MgMitrCRdFho. > > That should be a one-time thing. The ssh key fingerprints are also in > the sourceware.org DNS so an ssh client can verify it. > echo "VerifyHostKeyDNS yes" >> .ssh/config > > Sourceware's DNS is DNSSEC protected .... so this should work quietly > and smoothly but: > >> This didn't use to happen. [...] > > .... I wonder if you're noticing this from inside the RH VPN. Some > DNS servers we use ("infoblox", whatever that is) apparently have > problems with DNSSEC or EDNS or some such thing, and IT has > selectively disabled some parts of this for sourceware.org to work > around the infoblox OS bugs. So it could be that your ssh client is > noticing this RH-internal breakage. There are some other RH DNS > servers running linux that don't have this problem; maybe try one > of them (e.g. 10.15.24.173) in your /etc/resolv.conf. > > Anyway, ignore the warnings and/or drop the old key records it's > complaining about, and things should be fine. That's the part that doesn't help. They're not just warnings but errors and the only way I could get around one each time was by deleting the offending key, but that only helped until I pulled from the other repo. But I just tried removing all of ~/.ssh/known_hosts and that seems to have fixed it. Comparing the old broken known_hosts with the new one shows the bad has these two entries: 8.43.85.97 ssh-rsa ... sourceware.org ecdsa-sha2-nistp256 ... while the good one has these (after successfully pulling from both gcc and glibc): gcc.gnu.org,8.43.85.97 ecdsa-sha2-nistp256 sourceware.org,8.43.85.97 ecdsa-sha2-nistp256 ... I always deleted just one key on the line it complained about so the one that was causing the problem must have been the one with the ssh-rsa part. Thanks Martin