Date: Mon, 21 May 2012 13:17:45 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Jason Usher <jusher71@yahoo.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... Message-ID: <20120521171745.GA9418@DataIX.net> In-Reply-To: <1337617112.24292.YahooMailClassic@web122505.mail.ne1.yahoo.com> References: <20120517232238.GA91365@DataIX.net> <1337617112.24292.YahooMailClassic@web122505.mail.ne1.yahoo.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Mon, May 21, 2012 at 09:18:32AM -0700, Jason Usher wrote: > > Folks, > > Is there a better list for this - perhaps freebsd-security ? > > I originally posted to -hackers because it *appears* that reverting "rsa, then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but since that doesn't work, and since I haven't gotten any replies here ... > > Thoughts ? OpenBSD ? http://www.openssh.org/list.html > > > --- On Thu, 5/17/12, Jason Hellenthal <jhellenthal@dataix.net> wrote: > > > > > > I have some old 6.x FreeBSD systems that need > > their > > > > OpenSSH upgraded. > > > > > > > > > > Everything goes just fine, but when I am > > done, existing > > > > clients are now presented with this message: > > > > > > > > > > > > > > > WARNING: DSA key found for host hostname > > > > > in /root/.ssh/known_hosts:12 > > > > > DSA key fingerprint > > 4c:29:4b:6e:b8:6b:fa:49....... > > > > > > > > > > The authenticity of host 'hostname > > (10.1.2.3)' can't be > > > > established > > > > > but keys of different type are already known > > for this > > > > host. > > > > > RSA key fingerprint is > > a3:22:3d:cf:f2:46:09:f2...... > > > > > Are you sure you want to continue connecting > > (yes/no) > > > > > > > > > > > > > You must be using different keys for your server > > than the > > > > one that has > > > > been generated before the upgrade. Just copy your > > keys over > > > > to the new > > > > location and restart the server daemon and you > > should be > > > > fine. > > > > > > > > copy /etc/ssh/* -> /usr/local/etc/ssh/ > > > > > > > > > You didn't read that error message. > > > > Sorry I misread that. Decieving message... > > > > > > > > That is not the standard "key mismatch" error that you > > assumed it was. Look at it again - it is saying that > > we do have a key for this server of type DSA, but the client > > is receiving one of type RSA, etc. > > > > > > The keys are the same - they have not changed at all - > > they are just being presented to clients in the reverse > > order, which is confusing them and breaking automated, > > key-based login. > > > > > > I need to take current ssh server behavior (rsa, then > > dss) and change it back to the old order (dss, then rsa). > > > > Have you attempted to change that order via sshd_config and > > placing the > > DSA directive before the RSA one ? > > > > > > -- > > > > - (2^(N-1)) > > -- - (2^(N-1)) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPuni4AAoJEBSh2Dr1DU7WVccIALXlcuUwd/2Z8+C5uUqFNXFu mozYYm9V9Vctxhga2Zi5dygj/Q10952XV1vvEutNTTjmbgDdcFtFo+1uPcLeAbd9 7Hd3fpTweao2OXNwUigIUGkxXFgv0qHvuj+KJYd7RHk5JZI+wMXNll3jc0P1CLmy j20lPJr3QgzwHgwFLx1Gy8H880u1L9hM5aTA6pbiNdWSr3PywBTiliPAcACxCsRj /eugtsjGJbB38Ay1X5dDz1tl6tYjPxu/ko0ohIUlwsuwSUUbfPYqrSZh3TiTYTkD OOeNz/MRYAYYqOlO6OyM2Go5uDridJHLhNubWIOuAn6ZBIekWIb9Qi1z6gCbFYA= =suFK -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120521171745.GA9418>