From owner-freebsd-hackers@FreeBSD.ORG Thu May 17 22:17:15 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FFF2106566B for ; Thu, 17 May 2012 22:17:15 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 135C88FC15 for ; Thu, 17 May 2012 22:17:15 +0000 (UTC) Received: by yhgm50 with SMTP id m50so2970347yhg.13 for ; Thu, 17 May 2012 15:17:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=zHwZQrcJgdfusqrhAhIhy6x+8Xwr/W6xwFfvNbktdJM=; b=ZblPldScTeo9CmdWLnI+MwDu1A5ddWsgQzEGgXAUX3tZIhBYotVyOsBBbzl1W4CRh+ aVaRmcmKENBMprBzog+X5Qw5IeYKJHhu9AeTXfr80eLwRL9n5zikqMkQGXxt7bxpsSbm eYrNme4BXx3+ZDUEip1wFkSQFfXXJIf4MwtHA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=zHwZQrcJgdfusqrhAhIhy6x+8Xwr/W6xwFfvNbktdJM=; b=mWT5K23aLbQrDX84ZT+9BzZ0rhBi8ZbK9sRRIt0FY6dI+sD78Qhl8iqb3vfWUfZGxt MbEX1om1wbsTKKtZBDgP3MTSEqNcJefMRIig0pSTg6vIKB6ngE7SFGKJzJWKD1DOlF2+ XQcB+Nldq2ruz1JqPHlhuwz6OItE67ZUbFFnqLACcejjg1WURwAwSQ5NzT4cC2t6aIPO BculO9sSrUA8XUYArvIcSyABJQYn5poPYAiZV/xU6ye1DjQmIGaNKoetef7U0OI2yGVX sqKcBRY7MfkJKwr8yJ3D3GZru04gXpSAOX+ji31aLTbMgB5HzYduqkxYXXZw1bc95jUE QiRA== Received: by 10.50.89.227 with SMTP id br3mr14030941igb.47.1337293033216; Thu, 17 May 2012 15:17:13 -0700 (PDT) Received: from DataIX.net (24-247-238-117.dhcp.aldl.mi.charter.com. [24.247.238.117]) by mx.google.com with ESMTPS id b11sm8826180igq.7.2012.05.17.15.17.12 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 May 2012 15:17:12 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q4HMH9pp029253 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 May 2012 18:17:10 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q4HMH9J6028776; Thu, 17 May 2012 18:17:09 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Thu, 17 May 2012 18:17:09 -0400 From: Jason Hellenthal To: Jason Usher Message-ID: <20120517221709.GA47168@DataIX.net> References: <1337289423.15300.YahooMailClassic@web122503.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline In-Reply-To: <1337289423.15300.YahooMailClassic@web122503.mail.ne1.yahoo.com> X-Gm-Message-State: ALoCoQlOgcXw+cW9Hou7w5zOaEWBeygCW44ogSrJfWtZbi6y3/FchYOetfSMkDVSQURj8KtMLpNp Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 22:17:15 -0000 --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher wrote: > I have some old 6.x FreeBSD systems that need their OpenSSH upgraded. >=20 > Everything goes just fine, but when I am done, existing clients are now p= resented with this message: >=20 >=20 > WARNING: DSA key found for host hostname > in /root/.ssh/known_hosts:12 > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49....... >=20 > The authenticity of host 'hostname (10.1.2.3)' can't be established > but keys of different type are already known for this host. > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... > Are you sure you want to continue connecting (yes/no) >=20 You must be using different keys for your server than the one that has been generated before the upgrade. Just copy your keys over to the new location and restart the server daemon and you should be fine. copy /etc/ssh/* -> /usr/local/etc/ssh/ >=20 > And as you can imagine, existing automated jobs now all fail. >=20 > I have no control over the clients.? Assume the clients cannot be touched= at all. >=20 > So, the good news is, this appears to have been discussed/documented here: >=20 > http://www.mail-archive.com/bugs@crater.dragonflybsd.org/msg04860.html >=20 > ... but I'm afraid that changing that line in myproposal.h BACK TO ssh-ds= s,ssh-rsa does not solve the problem.? I did indeed make that change to myp= roposal.h, manually, and then build the openssh-portable port, but the beha= vior persists. >=20 > If I simply REMOVE the RSA keys, the error goes away, and existing DSA-us= ing clients no longer bomb out, but this is NOT a good solution for two rea= sons: >=20 > 1. anytime I HUP, or start sshd, it's going to create new RSA keys for me >=20 > 2. It's possible that some clients out there really have been using RSA a= ll along (who knows) and now they are completely broken, since RSA is not t= here at all. >=20 > I'm more than happy to muck around in the source with further little edit= s, just like I did with myproposal.h, but I have no idea what they would be. >=20 > Can anyone help me "make new ssh behave like old one" ? >=20 > Thanks. >=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" --=20 - (2^(N-1)) --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPtXjkAAoJEBSh2Dr1DU7WacoIAKt4D9JBDM53SFKhqSsrKqMu neb49B0tmSo1JgNTDHOm6Yix1tuWExxIhXjXihroUZL8EYuzNRsLGoaDdO7+Gb3Q JXoojO6MMBA1SCYOpbFqTKl9WhX+U2uhxuuqerXNwtRGoev1pu8dw7blUgZMX9X2 QnXE1TfD1PY1qtQZixqCiZFlmphzpZW53ouOUQPn7rjY9cRsBFZuw2wriDtvBOg+ HntuIFFP032EM8yIPp43izZDOW2Y5MIfNHF+98f+1S00WGEwxkiPBJc2DwF0F/Og RGwGrgZ66BB2q8i7N5TBE4JOcJbV8GstqxyPdR0548EDG/egXAr0so5oeyMH9ik= =qMpP -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--