From owner-freebsd-stable@FreeBSD.ORG Tue Dec 1 11:55:25 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A67B71065672 for ; Tue, 1 Dec 2009 11:55:25 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA12.westchester.pa.mail.comcast.net (qmta12.westchester.pa.mail.comcast.net [76.96.59.227]) by mx1.freebsd.org (Postfix) with ESMTP id 503A08FC12 for ; Tue, 1 Dec 2009 11:55:24 +0000 (UTC) Received: from OMTA08.westchester.pa.mail.comcast.net ([76.96.62.12]) by QMTA12.westchester.pa.mail.comcast.net with comcast id Bndz1d0060Fqzac5CnvRy6; Tue, 01 Dec 2009 11:55:25 +0000 Received: from koitsu.dyndns.org ([98.248.46.159]) by OMTA08.westchester.pa.mail.comcast.net with comcast id BnvK1d0053S48mS3UnvM49; Tue, 01 Dec 2009 11:55:23 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 2134B1E301B; Tue, 1 Dec 2009 03:55:18 -0800 (PST) Date: Tue, 1 Dec 2009 03:55:18 -0800 From: Jeremy Chadwick To: Pete French Message-ID: <20091201115518.GA27115@icarus.home.lan> References: <20091201113547.GA26501@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-stable@freebsd.org Subject: Re: SSH oddness with 8.0-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 11:55:25 -0000 On Tue, Dec 01, 2009 at 11:43:23AM +0000, Pete French wrote: > > Usually the error you're seeing is indication that either the client or > > server changed from DSA to RSA, or vice-versa. I don't see anything in > > /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and > > 8.0-STABLE which would indicate this changed. > > There is, however, a not on /usr/src/UPDATING about this precise > effect. Viz: > > 20080801: > OpenSSH has been upgraded to 5.1p1. > > For many years, FreeBSD's version of OpenSSH preferred DSA > over RSA for host and user authentication keys. With this > upgrade, we've switched to the vendor's default of RSA over > DSA. This may cause upgraded clients to warn about unknown > host keys even for previously known hosts. Users should > follow the usual procedure for verifying host keys before > accepting the RSA key. > > This can be circumvented by setting the "HostKeyAlgorithms" > option to "ssh-dss,ssh-rsa" in ~/.ssh/config or on the ssh > command line. > > Please note that the sequence of keys offered for > authentication has been changed as well. You may want to > specify IdentityFile in a different order to revert this > behavior. This would indicate the OP was running a 7.2-STABLE system which was built prior to 2008/08/01 (with some variance; sometimes the commit times do not match the timestamp in src/UPDATING), or a system which had not had mergemaster run on it to populate the changes into /etc/ssh. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |