From owner-freebsd-hackers@FreeBSD.ORG Sat May 19 00:10:00 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 59F1D1065688 for ; Sat, 19 May 2012 00:10:00 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0A8128FC16 for ; Sat, 19 May 2012 00:09:59 +0000 (UTC) Received: by obcni5 with SMTP id ni5so6167682obc.13 for ; Fri, 18 May 2012 17:09:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=ALDWcwTP4sVCTwzUTsgtbyMSST0q5sKWDmydW9SAmHs=; b=L0ba3MgxzsTKBL+hNSFpzhHbw3mMMZ0bTdyfuSo3+L0cGmcwYKNF4mKVBcobImpjUU KagukM5spzo7DO69WKywqt9qwXnIsch9ayOVec48hfBinnK4C0lCRgxKk4sUl9msJ/wS 4t+YOugI7kph8oYR48KKAw0PClRaVezFJtiLs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=ALDWcwTP4sVCTwzUTsgtbyMSST0q5sKWDmydW9SAmHs=; b=gGGmil+ssHC5LVq0kSUK3t8qv0lMJZYKiZc/5GRYpBHROgM8J2cU0nSlGkQ3Ymezhr aaFt+4mfqWYRioQcT7E0EjkDnZjuvE7E1Uvz08+ZbvCwx0w9zks/4ZegSPCi/q9Dnio1 6UZBvXXSjT5ti6IFCLSw9jyjaZ+4wwpzSsguIwWNDF9g9oTQcsEskXZcR7DF9i0JQZmY OX4UjmDNzLEn/O8VcE98iOGwigoByxwwP09dAjMlGmKuS0G+wKu1Jf5O6xNIhAmFI/z8 bsLmYikx8bYCoJOvZUDhJ+4QbNSDsXGI6Xcu16ysMfahe90zgi0axFdlvhqhL/GJn3l2 Z7Zw== Received: by 10.50.185.232 with SMTP id ff8mr2237013igc.5.1337386199211; Fri, 18 May 2012 17:09:59 -0700 (PDT) Received: from DataIX.net (24-247-238-117.dhcp.aldl.mi.charter.com. [24.247.238.117]) by mx.google.com with ESMTPS id if4sm1222308igc.10.2012.05.18.17.09.58 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 18 May 2012 17:09:58 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q4J09ttH012512 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 May 2012 20:09:55 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q4J09s4F012336; Fri, 18 May 2012 20:09:54 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Fri, 18 May 2012 20:09:54 -0400 From: Jason Hellenthal To: Jason Usher Message-ID: <20120519000954.GA6110@DataIX.net> References: <20120518011904.GA82007@DataIX.net> <1337374681.54894.YahooMailClassic@web122504.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1337374681.54894.YahooMailClassic@web122504.mail.ne1.yahoo.com> X-Gm-Message-State: ALoCoQn6PBfrpi6Or6pH3n1Pg8nCdZOZdBSTbt1Q3rsw4+WFM59wwgY7xhSz06h9d6cjzhlWjwX+ Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 May 2012 00:10:00 -0000 On Fri, May 18, 2012 at 01:58:01PM -0700, Jason Usher wrote: > > > --- On Thu, 5/17/12, Jason Hellenthal wrote: > > > On Thu, May 17, 2012 at 04:26:38PM -0700, Jason Usher > > wrote: > > > > > > > > > --- On Thu, 5/17/12, Jason Hellenthal > > wrote: > > > > > > > > That is not the standard "key mismatch" error > > that you > > > > assumed it was.? Look at it again - it is saying > > that > > > > we do have a key for this server of type DSA, but > > the client > > > > is receiving one of type RSA, etc. > > > > > > > > > > The keys are the same - they have not changed > > at all - > > > > they are just being presented to clients in the > > reverse > > > > order, which is confusing them and breaking > > automated, > > > > key-based login. > > > > > > > > > > I need to take current ssh server behavior > > (rsa, then > > > > dss) and change it back to the old order (dss, > > then rsa). > > > > > > > > Have you attempted to change that order via > > sshd_config and > > > > placing the > > > > DSA directive before the RSA one ? > > > > > > > > > sshd_config has no such config directive.? > > ssh_config does, but that's for clients, and I have no way > > to interact with the clients. > > > > > > It would indeed be very nice if this key order, which > > seems like a prime candidate for configuration, was a > > configurable option in sshd_config, but it is not. > > > > > > I am fairly certain that I need to hack up some source > > files, and I thought I had it with myproposal.h (see link in > > OP) but there must be more, because that small change does > > not fix things... > > > > You don't have any of this in your config ? > > > > # HostKey for protocol version 1 > > #HostKey /usr/local/etc/ssh/ssh_host_key > > # HostKeys for protocol version 2 > > HostKey /usr/local/etc/ssh/ssh_host_rsa_key > > #HostKey /usr/local/etc/ssh/ssh_host_dsa_key > > #HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key > > > Yes, but that doesn't help, for reasons I mentioned earlier. > > Simply removing RSA functionality would (of course) cause it to stop presenting RSA keys first, but what about clients who (for whatever reason, who knows) negotiated RSA keys previously ? Then they would break. > > This is a very simple requirement: > > OpenSSH server used to present keys in the order: DSA first, then RSA. I need to get back to that same behavior. > > How do I do that ? Not sure if you missed what I was saying or if I read that correctly. But have you tried it in this order ? HostKey /usr/local/etc/ssh/ssh_host_key HostKey /usr/local/etc/ssh/ssh_host_dsa_key HostKey /usr/local/etc/ssh/ssh_host_rsa_key HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key ??? Just for brevity. -- - (2^(N-1))