DragonFly bugs List (threaded) for 2009-01
Re: sshd appears to be broken when both host rsa and dsa key file present
On Mon, Jan 26, 2009 at 03:05:47PM +0900, YONETANI Tomokazu wrote:
> On Sun, Jan 25, 2009 at 06:50:22PM -0800, Matthew Dillon wrote:
> > I think YONETANI reported this a few months ago, but it just started
> > happening to me when I upgraded pkgbox.
> > Something is ignoring the host DSA key when a host RSA key is presenting,
> > causing a mismatch with a pre-existing known_hosts file.
> > If I were to say 'yes', then RSA host key would be recorded in my
> > known_hosts file.
> > If I remove the RSA host key file on the server and restart sshd, then
> > the client properly negotiates using the DSA host key.
> > Anyone have any ideas?
> > -Matt
> Seems like the import of openssh-5.1 reverted the order of the default
> hostkey algorithm proposal, which has been part of FreeBSD-local
> preferences for many years:
> diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h
> index 8bdad7b..87a9e58 100644
> --- a/crypto/openssh-5/myproposal.h
> +++ b/crypto/openssh-5/myproposal.h
> @@ -40,7 +40,7 @@
> -#define KEX_DEFAULT_PK_ALG "ssh-dss,ssh-rsa"
> +#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
> #define KEX_DEFAULT_ENCRYPT \
> "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
> "arcfour128,arcfour256,arcfour," \
> Note that FreeBSD also got rid of this local change about a month
> earlier than we did:
> So the quick workaround(if you still prefer DSA over RSA) is
> to add the following in /etc/ssh_config on ssh clients
> HostKeyAlgorithms ssh-dsa,ssh-rsa
This should read:
(-dss, not -dsa).
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |