From owner-freebsd-stable@FreeBSD.ORG Tue Dec 1 11:35:52 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 979321065672 for ; Tue, 1 Dec 2009 11:35:52 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA11.westchester.pa.mail.comcast.net (qmta11.westchester.pa.mail.comcast.net [76.96.59.211]) by mx1.freebsd.org (Postfix) with ESMTP id 425F98FC18 for ; Tue, 1 Dec 2009 11:35:51 +0000 (UTC) Received: from OMTA01.westchester.pa.mail.comcast.net ([76.96.62.11]) by QMTA11.westchester.pa.mail.comcast.net with comcast id BnWD1d0030EZKEL5BnbsnS; Tue, 01 Dec 2009 11:35:52 +0000 Received: from koitsu.dyndns.org ([98.248.46.159]) by OMTA01.westchester.pa.mail.comcast.net with comcast id Bnbp1d0063S48mS3MnbqmJ; Tue, 01 Dec 2009 11:35:51 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 0420A1E301B; Tue, 1 Dec 2009 03:35:48 -0800 (PST) Date: Tue, 1 Dec 2009 03:35:47 -0800 From: Jeremy Chadwick To: freebsd-stable@freebsd.org Message-ID: <20091201113547.GA26501@icarus.home.lan> References: <20091201105704.GA93677@osiris.chen.org.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091201105704.GA93677@osiris.chen.org.nz> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: SSH oddness with 8.0-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 11:35:52 -0000 On Tue, Dec 01, 2009 at 11:57:04PM +1300, Jonathan Chen wrote: > I recently upgraded from 7.2-STABLE to 8.0-STABLE, and I'm > encountering key-conflicts warnings whenever I attempt to ssh to a > host that I've previously ssh'd into. eg: > > WARNING: DSA key found for host xx.yy.zz > in /home/jonc/.ssh/known_hosts:5 > DSA key fingerprint 5e:cf:fe:9d:c2:1d:6c:77:81:e5:73:ce:cd:bb:55:dc. > > The authenticity of host 'xx.yy.zz (nnn.nn.nn.nn)' can't be established > but keys of different type are already known for this host. > RSA key fingerprint is > ce:5b:eb:d3:10:ef:a7:c1:8d:86:06:6e:c6:14:d1:6f. > Are you sure you want to continue connecting (yes/no)? ^C > > After a flurry of panic, where I had to determine whether I had been > subjected to a man-in-the-middle attack, I verified that this warning > for all the hosts in my known_hosts file. > > Is anyone else seeing this? Is this a known issue? Can you clarify which system you upgraded to 8.0-STABLE on, the client (where you'd be SSH'ing from) or the server (where you'd be SSH'ing to)? Usually the error you're seeing is indication that either the client or server changed from DSA to RSA, or vice-versa. I don't see anything in /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and 8.0-STABLE which would indicate this changed. If the 8.0 upgrade was done on the server: if you upgraded the OS in-place (vs. a full reinstall), did you use mergemaster and accidentally nuke something you previously had in place? I would look in /etc/ssh using ls -lU to look for any new files which were added (such as new keys being generated), or just ls -l and look for modification times. If the 8.0 upgrade was done on the server: if you did a full reinstall (thus newfs/format), you probably lost the keys generated in /etc/ssh and therefore "/etc/rc.d/sshd start" created them when first enabled and run. I'll note that 7.2-STABLE uses OpenSSH 5.1p1, while 8.0-STABLE uses OpenSSH 5.2p1. The default cipher changed but I'm pretty sure that wouldn't cause what you're seeing. http://www.openssh.com/txt/release-5.2 -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |