From owner-freebsd-hackers@FreeBSD.ORG Mon May 21 17:17:51 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9CDE01065670 for ; Mon, 21 May 2012 17:17:51 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 407338FC21 for ; Mon, 21 May 2012 17:17:50 +0000 (UTC) Received: by ggnm2 with SMTP id m2so5696149ggn.13 for ; Mon, 21 May 2012 10:17:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=BGO5K82sWBlK2iw5t2ZenI1OvoFUAJksURfCNWi2RUE=; b=K20P3k4jAvupiTMXYGw5VHg09PksVBlfaVXG5NxT81l0fxJOx7omnv4AW+NkmOLrgW 2XGMOELlw50gNCOXAZeo2B3OBf5RFASBuZerIXp4Subz+YvISeavYS+cYorAiuklKYtm Vo1vjvvu873Q9oUpH39b7OxohSHM+BiRYeDFw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=BGO5K82sWBlK2iw5t2ZenI1OvoFUAJksURfCNWi2RUE=; b=WEifXYlQX2Br3Iwk3t4vsNJivYcL2OYtDar2YrZk+5fs/7XY8tQDGnD9n+NKB4uruu ANauaQ/krAsZFriQNsjLNT1oU+rE3r03Ar4VJy4i5mFoep7TCZJefWQ4OhMAkckHTug5 8Q62E90gP2TS6qtuMUFL2QF0d6u6RTqaA19CPzRxJnoxA4CgUEUpSCB4v6zaTvdZq+zE WMelk+KigWPkTrUpBIbLrgdSV9ICFRzLW839GTm7Akc999nE8bDBKDXp24Bmp8c+CNXP aKMhU7nI/el1MDdQeVaVLXkKGG9Lojw7Iqv7Yr+icnp1qIADmi3xskyF/ldLozVrp97d iSYg== Received: by 10.50.12.199 with SMTP id a7mr7206777igc.71.1337620670250; Mon, 21 May 2012 10:17:50 -0700 (PDT) Received: from DataIX.net (24-247-238-117.dhcp.aldl.mi.charter.com. [24.247.238.117]) by mx.google.com with ESMTPS id k6sm410863igz.9.2012.05.21.10.17.48 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 21 May 2012 10:17:49 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q4LHHkgG037363 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 May 2012 13:17:46 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q4LHHjSB037362; Mon, 21 May 2012 13:17:45 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Mon, 21 May 2012 13:17:45 -0400 From: Jason Hellenthal To: Jason Usher Message-ID: <20120521171745.GA9418@DataIX.net> References: <20120517232238.GA91365@DataIX.net> <1337617112.24292.YahooMailClassic@web122505.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: <1337617112.24292.YahooMailClassic@web122505.mail.ne1.yahoo.com> X-Gm-Message-State: ALoCoQnO+Oe2TFCxZJm4jA9IbRhuzjEpltfnSux9O8FKQGGaCj00yQxQ+MjpSEXffJ2pZ6iwDpE9 Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 17:17:51 -0000 --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 21, 2012 at 09:18:32AM -0700, Jason Usher wrote: >=20 > Folks, >=20 > Is there a better list for this - perhaps freebsd-security ? >=20 > I originally posted to -hackers because it *appears* that reverting "rsa,= then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but sinc= e that doesn't work, and since I haven't gotten any replies here ... >=20 > Thoughts ? OpenBSD ? http://www.openssh.org/list.html >=20 >=20 > --- On Thu, 5/17/12, Jason Hellenthal wrote: >=20 > > > > > I have some old 6.x FreeBSD systems that need > > their > > > > OpenSSH upgraded. > > > > >=20 > > > > > Everything goes just fine, but when I am > > done, existing > > > > clients are now presented with this message: > > > > >=20 > > > > >=20 > > > > > WARNING: DSA key found for host hostname > > > > > in /root/.ssh/known_hosts:12 > > > > > DSA key fingerprint > > 4c:29:4b:6e:b8:6b:fa:49....... > > > > >=20 > > > > > The authenticity of host 'hostname > > (10.1.2.3)' can't be > > > > established > > > > > but keys of different type are already known > > for this > > > > host. > > > > > RSA key fingerprint is > > a3:22:3d:cf:f2:46:09:f2...... > > > > > Are you sure you want to continue connecting > > (yes/no) > > > > >=20 > > > >=20 > > > > You must be using different keys for your server > > than the > > > > one that has > > > > been generated before the upgrade. Just copy your > > keys over > > > > to the new > > > > location and restart the server daemon and you > > should be > > > > fine. > > > >=20 > > > > copy /etc/ssh/* -> /usr/local/etc/ssh/ > > >=20 > > >=20 > > > You didn't read that error message. > >=20 > > Sorry I misread that. Decieving message... > >=20 > > >=20 > > > That is not the standard "key mismatch" error that you > > assumed it was.=A0 Look at it again - it is saying that > > we do have a key for this server of type DSA, but the client > > is receiving one of type RSA, etc. > > >=20 > > > The keys are the same - they have not changed at all - > > they are just being presented to clients in the reverse > > order, which is confusing them and breaking automated, > > key-based login. > > >=20 > > > I need to take current ssh server behavior (rsa, then > > dss) and change it back to the old order (dss, then rsa). > >=20 > > Have you attempted to change that order via sshd_config and > > placing the > > DSA directive before the RSA one ? > >=20 > >=20 > > --=20 > >=20 > > - (2^(N-1)) > >=20 --=20 - (2^(N-1)) --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPuni4AAoJEBSh2Dr1DU7WVccIALXlcuUwd/2Z8+C5uUqFNXFu mozYYm9V9Vctxhga2Zi5dygj/Q10952XV1vvEutNTTjmbgDdcFtFo+1uPcLeAbd9 7Hd3fpTweao2OXNwUigIUGkxXFgv0qHvuj+KJYd7RHk5JZI+wMXNll3jc0P1CLmy j20lPJr3QgzwHgwFLx1Gy8H880u1L9hM5aTA6pbiNdWSr3PywBTiliPAcACxCsRj /eugtsjGJbB38Ay1X5dDz1tl6tYjPxu/ko0ohIUlwsuwSUUbfPYqrSZh3TiTYTkD OOeNz/MRYAYYqOlO6OyM2Go5uDridJHLhNubWIOuAn6ZBIekWIb9Qi1z6gCbFYA= =suFK -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD--