Date: Tue, 22 May 2012 17:23:34 -0700 (PDT) From: Jason Usher <jusher71@yahoo.com> To: Ian Lepore <freebsd@damnhippie.dyndns.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... Message-ID: <1337732614.39678.YahooMailClassic@web122506.mail.ne1.yahoo.com> In-Reply-To: <1337713927.1116.40.camel@revolution.hippie.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
=0A=0A--- On Tue, 5/22/12, Ian Lepore <freebsd@damnhippie.dyndns.org> wrote=
:=0A=0A> Seeing your example config with the commented-out HostKey=0A> line=
s made me=0A> realize that you probably want to have two HostKey lines,=0A>=
one for the=0A> protocol v1 key and another for the dsa key for v2.=A0=0A>=
The 6.x server=0A> added the v1 key and the v2 dsa key by default, so you =
could=0A> have=0A> existing clients relying on a v1 key.=A0 Since you now=
=0A> have a HostKey=0A> statement the new server code won't add the v1 key =
by=0A> default so you'd=0A> need to be explicit about it.=A0 =0A> =0A> Base=
d on examining the code, I think this will be safe=0A> because the keys=0A>=
have different type-names ("rsa1" vs "rsa") so a client=0A> wanting to use=
a=0A> protocol v2 rsa key won't accidentally match the protcol v1=0A> rsa =
key=0A> named in the config file (and it will still match the dsa=0A> key).=
=0A=0A=0AWell, yes - and after restarting sshd, this was made clear:=0A=0AS=
topping sshd.=0AStarting sshd.=0ADisabling protocol version 1. Could not lo=
ad host key=0A=0AHowever, those commented out HostKey lines were always com=
mented out - I did not comment them out. In fact, my change was to uncomme=
nt the last one.=0A=0AFurther, I think the:=0A=0A/etc/ssh/ssh_host_key=0A=
=0Akey, for protocol v1, is an RSA key, right ? But you are saying it's an=
older rsa1 key ?=0A=0AOk, I will uncomment both lines now, and it will rea=
d:=0A=0A# HostKey for protocol version 1=0AHostKey /etc/ssh/ssh_host_key=0A=
# HostKeys for protocol version 2=0AHostKey /etc/ssh/ssh_host_dsa_key=0A=0A=
I just tried it and it seems to work (no scary key mismatch messages for DS=
A clients)=0A=0AThanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337732614.39678.YahooMailClassic>