Seems it's the only host currently using ECDSA, and the corresponding RR is missing in the DNS. Hence:
jimmy@vangogh:~$ ssh ortelius.toolserver.org @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 1a:02:b1:fb:19:61:63:ec:29:69:e1:46:fd:fa:21:12. Please contact your system administrator. Update the SSHFP RR in DNS with the new host key to get rid of this message. Last login: Thu Sep 6 12:55:43 2012 from vangogh.jimmyxu Rules: https://wiki.toolserver.org/view/Rules Documentation: https://wiki.toolserver.org/view/Getting_started
This system is a web server, not a login server. You may log into this system for web-related tasks, but tools must not be run here.
Next general maintenance window: Wed, 14.03, 19:00-23-59 UTC.
Your account will expire on Saturday, 10 November 2012. jimmy@ortelius:~$
Hello, At Friday 07 September 2012 16:05:38 DaB. wrote:
Seems it's the only host currently using ECDSA, and the corresponding RR is missing in the DNS. Hence:
all of the solaris-boxes have ECDSA-keys in the addition of DSA and RSA. However as far as I understand rfc4255.txt [1] there is no way to put ECDSA- key-hashes into DNS. So I doubt I can solve it this way. Can you check on your side if you prefer ESDSA in you ssh-config in any way? Because if I connect to ortelius it uses RSA.
Sincerely, DaB.
On Fri, Sep 07, 2012 at 04:11:01PM +0200, DaB. wrote:
However as far as I understand rfc4255.txt [1] there is no way to put ECDSA- key-hashes into DNS.
It's in RFC 6594, but older OpenSSH releases may not be able to generate those hashes using ssh-keygen.
If affected, it would be done by base64 -d the ssh_host_ecdsa_key.pub and put "3 1 `sha1sum of the decoded`" in manually.
Hello again, At Friday 07 September 2012 16:59:17 DaB. wrote:
It's in RFC 6594, but older OpenSSH releases may not be able to generate those hashes using ssh-keygen.
If affected, it would be done by base64 -d the ssh_host_ecdsa_key.pub and put "3 1 `sha1sum of the decoded`" in manually.
ok, done for the userland-servers that have ECDSA (and hemlock for the roots).
Sincerely, DaB.
Jimmy's login banner says:
Next general maintenance window: Wed, 14.03, 19:00-23-59 UTC.
Your account will expire on Saturday, 10 November 2012.
ugh, can we please use ISO8601 here? and be consistent about which format is used? (not have 2 different ones in consecutive lines)
-Jeremy
Hello, At Friday 07 September 2012 17:17:43 DaB. wrote:
ugh, can we please use ISO8601 here? and be consistent about which format is used? (not have 2 different ones in consecutive lines)
as a first step I removed the very old maintenance-announcement.
Sincerely, DaB.
toolserver-l@lists.wikimedia.org