From owner-freebsd-hackers@FreeBSD.ORG Mon May 21 21:28:19 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 101D6106564A for ; Mon, 21 May 2012 21:28:19 +0000 (UTC) (envelope-from jusher71@yahoo.com) Received: from nm12-vm1.bullet.mail.ne1.yahoo.com (nm12-vm1.bullet.mail.ne1.yahoo.com [98.138.91.41]) by mx1.freebsd.org (Postfix) with SMTP id 81EF88FC12 for ; Mon, 21 May 2012 21:28:18 +0000 (UTC) Received: from [98.138.90.57] by nm12.bullet.mail.ne1.yahoo.com with NNFMP; 21 May 2012 21:26:27 -0000 Received: from [98.138.89.165] by tm10.bullet.mail.ne1.yahoo.com with NNFMP; 21 May 2012 21:26:27 -0000 Received: from [127.0.0.1] by omp1021.mail.ne1.yahoo.com with NNFMP; 21 May 2012 21:26:27 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 720210.78484.bm@omp1021.mail.ne1.yahoo.com Received: (qmail 75790 invoked by uid 60001); 21 May 2012 21:26:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1337635587; bh=sip5a/WtZBkiM6jDFU47c+ICnC1q7Y1jl7eF496zMTk=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ApJz48e591ECmjJ5YAZazjShsIUQ6sCjQLSJV3L6Jq3hMeF/WMWJJ7513NNnlKtGNPTYPwjoc5e5UUE1BJdrU/6gJbHODJajXNGbgEFamwyi2eWF0hIOZR0I20acEmLwCX4kkJmIoVeoOScP18nbVNSs5hu5ri5Bh9D1fr8N4Tc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=43j442wk38F5f6jPlVtT7AEr9tegT3V92ffz09um2LzJ28eFw1IEA+mYbIJ3WqMXqi6YMdIyWCgd8RAPiZnZ9+YYtjfTjKiJDgWZQWNpOLFc6EnHA6GX8JztLf3h8qwWBIYb/mciOvDRlEAl5bNfO4+GTZeshzkOjWrHRUhRJFQ=; X-YMail-OSG: 7Up6DaMVM1lrg0w064YJBo1Haz05rRvuBqzFLiojwMRGV_V xcwL5bZ7ShfpJ2C_qdzilJCU9Z_BV.g8sgmdLy0iYdWTGyiO105bSQJFYAL0 c7mNYxarFhsgGaUtca_n2Ar3d9QGpcG_JZ4Xv9nUo4mHSkYU1TCUQQrtcrL5 r04uvzzqyrU4MdPL9Zk780FMhkPeAih1xDbTHyWFsrHRg.aFUWBdaH3OfMw4 3HEzjYaBomwhXq.GCPG3AVezRL4tXhnpkULIfFXPUz9vIdkyXjNdovoelJ0L m1si56n_qH7JuQqG5voZGfQT0HdN6XZGD04zwy5U9Zbk11csuV4OnyoFmdq4 LtapMJgf8RkBtFbeQn6nZkhgKFK9hVddH3Wwj4hYOB.72waV0KGetuRPgAo5 oI8dwW9E4nSY6LlT2sMg45ov0 Received: from [173.164.238.34] by web122503.mail.ne1.yahoo.com via HTTP; Mon, 21 May 2012 14:26:27 PDT X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524 Message-ID: <1337635587.57757.YahooMailClassic@web122503.mail.ne1.yahoo.com> Date: Mon, 21 May 2012 14:26:27 -0700 (PDT) From: Jason Usher To: Garance A Drosehn In-Reply-To: <4FBA7CA2.5080703@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 21 May 2012 21:45:51 +0000 Cc: freebsd-hackers@FreeBSD.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 21:28:19 -0000 =0A=0A--- On Mon, 5/21/12, Garance A Drosehn wrote:=0A = =0A> =A0=A0=A0But have you tried it in this order ?=0A> =0A> =A0=A0=A0HostK= ey /usr/local/etc/ssh/ssh_host_key=0A> =A0=A0=A0HostKey=0A> /usr/local/etc/= ssh/ssh_host_dsa_key=0A> =A0=A0=A0HostKey=0A> /usr/local/etc/ssh/ssh_host_r= sa_key=0A> =A0=A0=A0HostKey=0A> /usr/local/etc/ssh/ssh_host_ecdsa_key=0A> = =0A> Which is to say, have your sshd_config file list multiple=0A> hostkey'= s, and then restart sshd after making that change?=0A> I tried a similar ch= ange and it seemed to have some effect=0A> on what clients saw when connect= ing, but I can't tell if=0A> it has the effect that you want.=0A=0A=0AThe o= rder of HostKey directives in sshd_config does not change the actual order.= In newer implementations, RSA is provided first, no matter how you config= ure the sshd_config.=0A=0AAs I mentioned before, removing RSA completely is= sort of a fix, but I can't do that because some people might actually be e= xplicitly using RSA, and they would all break.=0A=0AAnyone ?