Thanks for your added reply, Javier. :) On 21/12/2006, at 8:32 AM, Javier Fernández-Sanguino Peña wrote:
On Wed, Dec 20, 2006 at 01:16:45PM +0100, Jens Seidel wrote:Whenever I get complains about a wrong host key ssh provides also the solution. The message should be similar to: The host key doesn't match the one in ~/.ssh/known_hosts line 111. Just edit this file and remove this affected line containing the oldkey. During the next connection ssh asks you whether you accept the newconnection and adds the new key to known_hosts.That certainly defeats the usefulness of SSH, doesn't it? How do you know you are not being duped by a MITM [1] attack and providing your password tosomebody else? See http://db.debian.org/doc-hosts.html As for Alioth, you should check the fingerprint posted at http://lists.debian.org/debian-devel-announce/2006/10/msg00029.html (as described in http://wiki.debian.org/AliothSVN)If you really want to make sure, you would have to download the GPG/ PGPsignature and check that the signature belongs to "Roland Mas". That'sactually quite tricky to do with the web archives so, if you trust me (and mysignature) this should be ok: Alioth's valid signatures are now these:1024 fe:65:bb:fc:43:81:5a:c0:5c:84:b7:cc:62:58:3c:64 ssh_host_dsa_key.pub 1024 f7:fa:20:ca:10:15:ad:a4:43:5d:1c:21:fa:10:da:a9 ssh_host_rsa_key.pubIf you see those being presented when you remove the key from your ~/.ssh/known_hosts and connect to the SVN server you are OK.
Yes, that's the fingerprint.I appreciate your warning. I certainly don't want to hand my key out to others.
BTW, there's a very good (and in depth) article on SSH host key protection for thoseinterested at http://www.securityfocus.com/infocus/1806
Thankyou. :) Best of all, my D-I Manual PO files are current.from Clytie (vi-VN, Vietnamese free-software translation team / nhóm Việt hóa phần mềm tự do)
http://groups-beta.google.com/group/vi-VN
Attachment:
PGP.sig
Description: This is a digitally signed message part