review.opendev.org SSH key change?

Dr. Jens Harbott j.harbott at x-ion.de
Sat Aug 1 13:44:21 UTC 2020 

Am Sa., 1. Aug. 2020 um 09:43 Uhr schrieb Marcin Cieslak <saper at saper.info>:
>
> I have clned the python-jenkins repo few days ago and today I am getting this:
>
> > git remote update
> Fetching upstream
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> SHA256:RXNl/GKyDaKiIQ93BoDvrNSKUPFvA1PNeAO9QiirYZU.
> Please contact your system administrator.
> Update the SSHFP RR in DNS with the new host key to get rid of this message.
> > git remote -v
> upstream        ssh://saperski@review.opendev.org:29418/jjb/python-jenkins (fetch)
> upstream        ssh://saperski@review.opendev.org:29418/jjb/python-jenkins (push)
>
> My cached entries are:
>
> [review.opendev.org]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfsIj/jqpI+2CFdjCL6kOiqdORWvxQ2sQbCzSzzmLXic8yVhCCbwarkvEpfUOHG4eyB0vqVZfMffxf0Yy3qjURrsroBCiuJ8GdiAcGdfYwHNfBI0cR6kydBZL537YDasIk0Z3ILzhwf7474LmkVzS7V2tMTb4ZiBS/jUeiHsVp88FZhIBkyhlb/awAGcUxT5U4QBXCAmerYXeB47FPuz9JFOVyF08LzH9JRe9tfXtqaCNhlSdRe/2pPRvn2EIhn5uHWwATACG9MBdrK8xv8LqPOik2w1JkgLWyBj11vDd5I3IjrmREGw8dqImqp0r6MD8rxqADlc1elfDIXYsy+TVH
> review.opendev.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBjjFqbkqLfVKn5vJnKh/LfGGo0gXp/vWlXRs0H91E0X8ce4r8DHLB8PMScHrX/n7c29/DY3FQqSaYsY6o13dFA=
>
> DNS sshfp records:
>
> review.opendev.org.     193     IN      CNAME   review01.opendev.org.
> review01.opendev.org.   276     IN      SSHFP   1 1 4A38DD28E379EA443F8A722D8330EF41754F0D5E
> review01.opendev.org.   276     IN      SSHFP   1 2 4234515B3D59F8BF7E7095BD881F39DB21B97A15511C4B10B7FD0240 25AD93FC
> review01.opendev.org.   276     IN      SSHFP   3 1 382C41E6FFC60CF1939B292FA62879B1918145D4
> review01.opendev.org.   276     IN      SSHFP   3 2 52A81E8DD662F92D903199DBC5068280D33D21D3A8E5BD023FAADD47 99AC1DDF
> review01.opendev.org.   276     IN      SSHFP   4 1 DE5FAA47C38E616ECB2CCC4C30C7E3F788C0927A
> review01.opendev.org.   276     IN      SSHFP   4 2 4BE301BEEC8DCC06C1084BEF1DB1D136686022B7026F678D958E548E 4B7D2FC7
>
> Is everything ok?

The SSHFP records document the keys for the SSH daemon listening on
port 22 used for administrative access to the server, not the keys
used by gerrit. AFAICT there is no way to specify keys for different
ports in DNS, so when accessing gerrit via ssh, you will have to
disable DNS verification in order to get rid of this warning. For
openssh this would mean to set VerifyHostKeyDNS=no (which is also the
default, so likely you must have overridden this somewhere), but I do
get a similar error to yours if I set the option to "yes".

Side note: Please don't clone from review.opendev.org directly but use
our git farm at opendev.org for this, the review site should only be
used for gerrit things, like submitting patches. At opendev.org we
have multiple gitea servers behind a load balancer, allowing us to
scale performance as needed, while we have gerrit is only a single
instance with limited resources.

Yours
Jens
-- 
Dr. Jens Harbott
E-Mail: j.harbott at x-ion.de

x-ion GmbH
Marschnerstrasse 52
22081 Hamburg

Vertretungsberechtigter Geschäftsführer: Martin Bosner
Registergericht: Amtsgericht Hamburg
Registernummer: HRB  125049
Ust-IdNr.: DE 265 898 497

Unsere Informationspflichten gemäß Art. 12 ff.
Datenschutz-Grundverordnung finden Sie unter:
https://www.x-ion.de/de/datenschutz/informationspflichten

More information about the service-discuss mailing list