Ssh hostkey for source.puri.sm changed?

General Privacy & Security
1

I’m receiving this message when trying to fetch from source.puri.sm:

~/code/puri.sm/image-builder$ ssh git@source.puri.sm
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for source.puri.sm has changed,
and the key for the corresponding IP address 143.198.145.103
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:3vmemyMRc0yk1cEXNwfxhAlEIhvMXIZGANPwZd+xY+8.
Please contact your system administrator.
Add correct host key in /home/elektron/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/elektron/.ssh/known_hosts:2719
  remove with:
  ssh-keygen -f "/home/elektron/.ssh/known_hosts" -R "source.puri.sm"
ECDSA host key for source.puri.sm has changed and you have requested strict checking.
Host key verification failed.

I don’t see any other posts on the forum about this or messages on your website about a changing key. Is this safe?

1 Like
2

What makes you think that Purism is offering git via SSH?

I think they are offering it via HTTPS - but maybe you are somehow configured differently and they offer both.

It is not safe until Purism confirms that they changed the host key.

3

Git write access is typically offered using ssh.

The key I’m seeing hasn’t changed in the past month, but it did change a couple months ago.

$ ssh-keyscan source.puri.sm | ssh-keygen -lf -
256 SHA256:8/f6LbJhpqOcwiMx4AhZkggjypGLMaDJBcxkLku8yzg source.puri.sm (ED25519)
3072 SHA256:mQhPKnBrd+BDqL/sDOmK/XZKDBIaC+rzTbs/BSMK6yM source.puri.sm (RSA)
256 SHA256:3vmemyMRc0yk1cEXNwfxhAlEIhvMXIZGANPwZd+xY+8 source.puri.sm (ECDSA)
1 Like
4

Thanks, just looking for confirmation!