This is a heads-up that we are planning to replace the host keys for the Gerrit SSH server at gerrit.wikimedia.org:29418.
The change is planned for Tuesday, July 14th in the PDT morning right after the MediaWiki train, that's around 11:00 UTC.
(https://wikitech.wikimedia.org/wiki/Deployments#Tuesday,_July_14)
The RSA key will be replaced with a longer version and additionally we will start to offer ecdsa_256, ecdsa_384, ecdsa_521 and ed25519.
The service will not be RSA-only anymore which some users had already reported as an issue.
After the change on Gerrit, your git / git-review / direct ssh commands are expected to fail with errors about mismatched or changed host keys or host identification.
This is expected. You will need to remove the old, no longer used host key, and verify the new one.
To remove the old host key, follow the instructions on screen or consult the manual of your SSH software. Once that is done, retry the command, and you'll be prompted to verify the new host key.
You can find the new keys for verification in this email below and on https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/gerrit.wikimedia.o...
If they match, confirm, and your command should continue. Once you have successfully updated the host key you should no longer see any errors.
If you are running any bots talking to gerrit-ssh please also update their configuration accordingly and restart where needed.
https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/gerrit.wikimedia.o...
ssh_host_rsa_key 2048 SHA256:j9/pXXc9WzjQwYP0t7nlzqH9EBOTw6q7DgcfnamJtsY gerrit-code-review@gerrit1001.wikimedia.org (RSA)
ssh_host_ecdsa_256_key 256 SHA256:58swSiByT+4LVqs30/FqJpEPj+Mwjtn3WJY5hitlEgM gerrit-code-review@gerrit1001.wikimedia.org (ECDSA)
ssh_host_ecdsa_384_key 384 SHA256:vFEVzNGuagPmYiw9EIwBStzd0X+gtprZzOi8vbLxAfc gerrit-code-review@gerrit1001.wikimedia.org (ECDSA)
ssh_host_ecdsa_521_key 521 SHA256:OWb1uenhapK7AFPfEB+NRxgfxhktZ1Q6C5eCy+VbgsY gerrit-code-review@gerrit1001.wikimedia.org (ECDSA)
ssh_host_ed25519_key 256 SHA256:njCmWMsshq3MqQxyIFO36UNwCwzTamXERqylF1XJhd8 gerrit-code-review@gerrit1001.wikimedia.org (ED25519)
TL;DR: the Gerrit host key change is getting postponed. There will be no Gerrit host key change tomorrow on 2020-07-14.
You do not need to take action for now.
The host key change will happen, but at a later time. Once there is a new date, we'll announce it on this list again.
</TLDR> -------------------------------------------- If you have a service and need help to prepare for the migration or have other specific requirements, please let us know.
Knowing that the Gerrit host key will impact many people, we wanted to give an early heads-up and hence announced 7 days early to give every Gerrit user and every maintainer of a service that uses Gerrit plenty time to adjust to the host key change.
It turns out that the 7 days have been too optimistic, and for one reason or the other, some services need more time to prepare for the host key switch.
So we rather re-schedule and give more time than lock users or services out.
If you run a service that talks to Gerrit through SSH, please let us know if you need help with preparing for the change. (We won't re-schedule again :-) )
Also, please let us know if you want to be kept in the loop with the date finding.