Bug 254926

Summary: Did repo.freebsd.org change host key?
Product: Services Reporter: Mikhail Teterin <mi>
Component: Core InfrastructureAssignee: Cluster Admin <clusteradm>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: philip, zi
Priority: ---    
Version: unspecified   
Hardware: Any   
OS: Any   

Description Mikhail Teterin freebsd_committer freebsd_triage 2021-04-09 19:27:46 UTC 
As of a couple days ago, my nightly svn-updates have stopped working. Running verbose ssh yields:

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:seWO5D27ySURcx4bknTNKlC1mgai0whP443PAKEvvZA
debug1: found 6 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seWO5D27ySURcx4bknTNKlC1mgai0whP443PAKEvvZA.
Please contact your system administrator.

Is there an MiM-attack? Or did the repository migrate to a new host without migrating the key?

I'm sure, at least some developers will quietly go and edit their known_hosts-files. But some day there will be an attack against the project expecting exactly that behavior...
Comment 1 Philip Paeps freebsd_committer freebsd_triage 2021-04-10 00:17:27 UTC 
As part of the migration to Git, repo.freebsd.org now points to gitrepo.freebsd.org.  If you wish to continue using svn+ssh, you'll need to svn switch to svnrepo.freebsd.org.

We should post something to that effect to developers@.  Thanks for your report.
Comment 2 Mikhail Teterin freebsd_committer freebsd_triage 2021-04-10 00:21:38 UTC 
(In reply to Philip Paeps from comment #1)
> repo.freebsd.org now points to gitrepo.freebsd.org

Why wouldn't you copy the host-key to the new server, if so?
Comment 3 Ryan Steinmetz freebsd_committer freebsd_triage 2021-04-10 16:05:15 UTC 
Separate jail, separate (non-svn) purpose--everything has been transitioned to git.
Comment 4 Mikhail Teterin freebsd_committer freebsd_triage 2021-04-10 18:27:45 UTC 
(In reply to Ryan Steinmetz from comment #3)
> Separate jail, separate (non-svn) purpose--everything has been transitioned to git.

I may be idealizing the past, but I seem to recall there being times, when one could point at how FreeBSD cluster was doing things as an /example/ to others.

Meanwhile, is this a valid response from svnrepo.freebsd.org?

ECDSA key fingerprint is SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g.

Please, confirm -- and be sure to include it in the announcement you're planning to make on developers@... Thank you.
Comment 5 Mikhail Teterin freebsd_committer freebsd_triage 2021-04-10 18:38:00 UTC 
(In reply to Mikhail Teterin from comment #4)
> ECDSA key fingerprint is SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g.

Ok, I was able to confirm this myself -- by connecting from Freefall. The three keys offered by svnrepo.freebsd.org are:

2048 SHA256:ZaUUjV+hewLaa+lkC+ZUvpDPh7xPYz1ivLuILe6L908 svnrepo (RSA)
256 SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g svnrepo (ECDSA)
256 SHA256:ur2dmqEPCovUvbeZ8CC2kf8pO1KpZ555xhQPPjoSIOE svnrepo (ED25519)
Comment 6 Philip Paeps freebsd_committer freebsd_triage 2021-04-11 00:24:33 UTC 
We publish SSHFP records for all hosts in the FreeBSD.org DNS, which is DNSSEC signed.  You can set "VerifyHostKeyDNS" in your .ssh/config to use this mechanism.

You can also consult this file, signed by security-officer@:
https://www.freebsd.org/internal/ssh-keys.asc
which is linked from https://www.freebsd.org/internal/machines/