Date: Thu, 17 May 2012 18:17:09 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Jason Usher <jusher71@yahoo.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... Message-ID: <20120517221709.GA47168@DataIX.net> In-Reply-To: <1337289423.15300.YahooMailClassic@web122503.mail.ne1.yahoo.com> References: <1337289423.15300.YahooMailClassic@web122503.mail.ne1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher wrote: > I have some old 6.x FreeBSD systems that need their OpenSSH upgraded. >=20 > Everything goes just fine, but when I am done, existing clients are now p= resented with this message: >=20 >=20 > WARNING: DSA key found for host hostname > in /root/.ssh/known_hosts:12 > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49....... >=20 > The authenticity of host 'hostname (10.1.2.3)' can't be established > but keys of different type are already known for this host. > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... > Are you sure you want to continue connecting (yes/no) >=20 You must be using different keys for your server than the one that has been generated before the upgrade. Just copy your keys over to the new location and restart the server daemon and you should be fine. copy /etc/ssh/* -> /usr/local/etc/ssh/ >=20 > And as you can imagine, existing automated jobs now all fail. >=20 > I have no control over the clients.? Assume the clients cannot be touched= at all. >=20 > So, the good news is, this appears to have been discussed/documented here: >=20 > http://www.mail-archive.com/bugs@crater.dragonflybsd.org/msg04860.html >=20 > ... but I'm afraid that changing that line in myproposal.h BACK TO ssh-ds= s,ssh-rsa does not solve the problem.? I did indeed make that change to myp= roposal.h, manually, and then build the openssh-portable port, but the beha= vior persists. >=20 > If I simply REMOVE the RSA keys, the error goes away, and existing DSA-us= ing clients no longer bomb out, but this is NOT a good solution for two rea= sons: >=20 > 1. anytime I HUP, or start sshd, it's going to create new RSA keys for me >=20 > 2. It's possible that some clients out there really have been using RSA a= ll along (who knows) and now they are completely broken, since RSA is not t= here at all. >=20 > I'm more than happy to muck around in the source with further little edit= s, just like I did with myproposal.h, but I have no idea what they would be. >=20 > Can anyone help me "make new ssh behave like old one" ? >=20 > Thanks. >=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" --=20 - (2^(N-1)) --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPtXjkAAoJEBSh2Dr1DU7WacoIAKt4D9JBDM53SFKhqSsrKqMu neb49B0tmSo1JgNTDHOm6Yix1tuWExxIhXjXihroUZL8EYuzNRsLGoaDdO7+Gb3Q JXoojO6MMBA1SCYOpbFqTKl9WhX+U2uhxuuqerXNwtRGoev1pu8dw7blUgZMX9X2 QnXE1TfD1PY1qtQZixqCiZFlmphzpZW53ouOUQPn7rjY9cRsBFZuw2wriDtvBOg+ HntuIFFP032EM8yIPp43izZDOW2Y5MIfNHF+98f+1S00WGEwxkiPBJc2DwF0F/Og RGwGrgZ66BB2q8i7N5TBE4JOcJbV8GstqxyPdR0548EDG/egXAr0so5oeyMH9ik= =qMpP -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120517221709.GA47168>