From owner-freebsd-stable@FreeBSD.ORG Tue Dec 1 11:43:33 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A95261065693 for ; Tue, 1 Dec 2009 11:43:33 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from constantine.ticketswitch.com (constantine.ticketswitch.com [IPv6:2002:57e0:1d4e:1::3]) by mx1.freebsd.org (Postfix) with ESMTP id 634008FC1C for ; Tue, 1 Dec 2009 11:43:33 +0000 (UTC) Received: from dilbert.rattatosk ([10.64.50.6] helo=dilbert.ticketswitch.com) by constantine.ticketswitch.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NFR8d-0006Sf-Ha; Tue, 01 Dec 2009 11:43:23 +0000 Received: from petefrench by dilbert.ticketswitch.com with local (Exim 4.70 (FreeBSD)) (envelope-from ) id 1NFR8d-000HH2-GJ; Tue, 01 Dec 2009 11:43:23 +0000 Date: Tue, 01 Dec 2009 11:43:23 +0000 Message-Id: To: freebsd-stable@freebsd.org, freebsd@jdc.parodius.com In-Reply-To: <20091201113547.GA26501@icarus.home.lan> From: Pete French Cc: Subject: Re: SSH oddness with 8.0-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 11:43:33 -0000 > Usually the error you're seeing is indication that either the client or > server changed from DSA to RSA, or vice-versa. I don't see anything in > /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and > 8.0-STABLE which would indicate this changed. There is, however, a not on /usr/src/UPDATING about this precise effect. Viz: 20080801: OpenSSH has been upgraded to 5.1p1. For many years, FreeBSD's version of OpenSSH preferred DSA over RSA for host and user authentication keys. With this upgrade, we've switched to the vendor's default of RSA over DSA. This may cause upgraded clients to warn about unknown host keys even for previously known hosts. Users should follow the usual procedure for verifying host keys before accepting the RSA key. This can be circumvented by setting the "HostKeyAlgorithms" option to "ssh-dss,ssh-rsa" in ~/.ssh/config or on the ssh command line. Please note that the sequence of keys offered for authentication has been changed as well. You may want to specify IdentityFile in a different order to revert this behavior.