DragonFly bugs List (threaded) for 2009-01
DragonFly BSD
DragonFly bugs List (threaded) for 2009-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: sshd appears to be broken when both host rsa and dsa key file present

From: YONETANI Tomokazu <qhwt+dfly@xxxxxxxxxx>
Date: Mon, 26 Jan 2009 15:05:47 +0900

On Sun, Jan 25, 2009 at 06:50:22PM -0800, Matthew Dillon wrote:
>     I think YONETANI reported this a few months ago, but it just started
>     happening to me when I upgraded pkgbox.
>     Something is ignoring the host DSA key when a host RSA key is presenting,
>     causing a mismatch with a pre-existing known_hosts file.
>     If I were to say 'yes', then RSA host key would be recorded in my
>     known_hosts file.
>     If I remove the RSA host key file on the server and restart sshd, then
>     the client properly negotiates using the DSA host key.
>     Anyone have any ideas?
> 						-Matt

Seems like the import of openssh-5.1 reverted the order of the default
hostkey algorithm proposal, which has been part of FreeBSD-local
preferences for many years:
  diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h
  index 8bdad7b..87a9e58 100644
  --- a/crypto/openssh-5/myproposal.h
  +++ b/crypto/openssh-5/myproposal.h
  @@ -40,7 +40,7 @@
  -#define KEX_DEFAULT_PK_ALG	"ssh-dss,ssh-rsa"
  +#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
	  "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
	  "arcfour128,arcfour256,arcfour," \

Note that FreeBSD also got rid of this local change about a month
earlier than we did:

So the quick workaround(if you still prefer DSA over RSA) is
to add the following in /etc/ssh_config on ssh clients

  HostKeyAlgorithms	ssh-dsa,ssh-rsa
or to make it per-user, add the following two lines in ~/.ssh/config
  Host foo		# or use * if you want to apply any hosts
  HostKeyAlgorithms	ssh-dsa,ssh-rsa


[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]