Bug 254926 - Did repo.freebsd.org change host key?
Summary: Did repo.freebsd.org change host key?
Status: Closed Overcome By Events
Alias: None
Product: Services
Classification: Unclassified
Component: Core Infrastructure (show other bugs)
Version: unspecified
Hardware: Any Any
: --- Affects Many People
Assignee: Cluster Admin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-09 19:27 UTC by Mikhail Teterin
Modified: 2021-04-11 00:24 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Teterin freebsd_committer 2021-04-09 19:27:46 UTC
As of a couple days ago, my nightly svn-updates have stopped working. Running verbose ssh yields:

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:seWO5D27ySURcx4bknTNKlC1mgai0whP443PAKEvvZA
debug1: found 6 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seWO5D27ySURcx4bknTNKlC1mgai0whP443PAKEvvZA.
Please contact your system administrator.

Is there an MiM-attack? Or did the repository migrate to a new host without migrating the key?

I'm sure, at least some developers will quietly go and edit their known_hosts-files. But some day there will be an attack against the project expecting exactly that behavior...
Comment 1 Philip Paeps freebsd_committer 2021-04-10 00:17:27 UTC
As part of the migration to Git, repo.freebsd.org now points to gitrepo.freebsd.org.  If you wish to continue using svn+ssh, you'll need to svn switch to svnrepo.freebsd.org.

We should post something to that effect to developers@.  Thanks for your report.
Comment 2 Mikhail Teterin freebsd_committer 2021-04-10 00:21:38 UTC
(In reply to Philip Paeps from comment #1)
> repo.freebsd.org now points to gitrepo.freebsd.org

Why wouldn't you copy the host-key to the new server, if so?
Comment 3 Ryan Steinmetz freebsd_committer freebsd_triage 2021-04-10 16:05:15 UTC
Separate jail, separate (non-svn) purpose--everything has been transitioned to git.
Comment 4 Mikhail Teterin freebsd_committer 2021-04-10 18:27:45 UTC
(In reply to Ryan Steinmetz from comment #3)
> Separate jail, separate (non-svn) purpose--everything has been transitioned to git.

I may be idealizing the past, but I seem to recall there being times, when one could point at how FreeBSD cluster was doing things as an /example/ to others.

Meanwhile, is this a valid response from svnrepo.freebsd.org?

ECDSA key fingerprint is SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g.

Please, confirm -- and be sure to include it in the announcement you're planning to make on developers@... Thank you.
Comment 5 Mikhail Teterin freebsd_committer 2021-04-10 18:38:00 UTC
(In reply to Mikhail Teterin from comment #4)
> ECDSA key fingerprint is SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g.

Ok, I was able to confirm this myself -- by connecting from Freefall. The three keys offered by svnrepo.freebsd.org are:

2048 SHA256:ZaUUjV+hewLaa+lkC+ZUvpDPh7xPYz1ivLuILe6L908 svnrepo (RSA)
256 SHA256:ZLqzUfFKUVKYLF/wIuqaeLRTSkKMJWTHEc1tEi34B8g svnrepo (ECDSA)
256 SHA256:ur2dmqEPCovUvbeZ8CC2kf8pO1KpZ555xhQPPjoSIOE svnrepo (ED25519)
Comment 6 Philip Paeps freebsd_committer 2021-04-11 00:24:33 UTC
We publish SSHFP records for all hosts in the FreeBSD.org DNS, which is DNSSEC signed.  You can set "VerifyHostKeyDNS" in your .ssh/config to use this mechanism.

You can also consult this file, signed by security-officer@:
https://www.freebsd.org/internal/ssh-keys.asc
which is linked from https://www.freebsd.org/internal/machines/