From owner-freebsd-hackers@FreeBSD.ORG Thu May 17 23:22:43 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AF0E01065672 for ; Thu, 17 May 2012 23:22:43 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 568278FC1C for ; Thu, 17 May 2012 23:22:43 +0000 (UTC) Received: by ggnm2 with SMTP id m2so2993127ggn.13 for ; Thu, 17 May 2012 16:22:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=eoqVUbYxSpbK6v8iOlNcB2mAu6AwAC6lFaBcoyJCd8o=; b=NHzQFGxnYPC5t7FcQ+wIgKCPwqrPXXurEwYvSYK/TzHJH//ydv+kVTwcAlSvBvT0rE xqnJ4lqYwU0zNCgVFkUznaQiJ83KWJANCpp5dxCrAtWXBRRZrJ0noREMHJJmYs4ZWJ1V 3V9nuv2JHp4MvfVTe9zsBFHcFI+hKRU463SRs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=eoqVUbYxSpbK6v8iOlNcB2mAu6AwAC6lFaBcoyJCd8o=; b=cAGoBePl4IEniZ+YYR4hIwJa5w3sojiylQuZ08tBTi5uJzLh0SenNnsKjl8kzv6omq RSGDTBr/LTKV1ZbFV2n77fllVdgWwH7GyT9H14YCbDdP88ODewRe+hI9FtnQO4+8eJkt deMF5IEWO0VEuDgLS2cFEiCwOrItSjEqcqNsOZd2gHzwLBpebN0k3vWpPz+VujwXx89c QU3APQK6aRU03j1o5CXkxjymtdrbOizWSdmGE8lZ54Du/HKR3P9uZZSl/RPOxlQNu1ki I3LnFv50IkeMwsF0vDwdCb2L43aJbl/bNpwMf1k30E0hJdTAONDxge02AOV/hLMK1pOO 9v9A== Received: by 10.42.19.138 with SMTP id c10mr1266226icb.27.1337296962339; Thu, 17 May 2012 16:22:42 -0700 (PDT) Received: from DataIX.net (24-247-238-117.dhcp.aldl.mi.charter.com. [24.247.238.117]) by mx.google.com with ESMTPS id ay4sm9031609igb.1.2012.05.17.16.22.41 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 May 2012 16:22:42 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q4HNMd76084474 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 May 2012 19:22:39 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q4HNMctP084209; Thu, 17 May 2012 19:22:38 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Thu, 17 May 2012 19:22:38 -0400 From: Jason Hellenthal To: Jason Usher Message-ID: <20120517232238.GA91365@DataIX.net> References: <20120517221709.GA47168@DataIX.net> <1337295971.82236.YahooMailClassic@web122505.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1337295971.82236.YahooMailClassic@web122505.mail.ne1.yahoo.com> X-Gm-Message-State: ALoCoQlGM202kmzIYii0ntvMhxtWyNl9NEEFo8eR9QesulyNzKMXdYFuSXmvD30Lgu2CTVGItrvS Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 23:22:43 -0000 On Thu, May 17, 2012 at 04:06:11PM -0700, Jason Usher wrote: > > > --- On Thu, 5/17/12, Jason Hellenthal wrote: > > > On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher > > wrote: > > > I have some old 6.x FreeBSD systems that need their > > OpenSSH upgraded. > > > > > > Everything goes just fine, but when I am done, existing > > clients are now presented with this message: > > > > > > > > > WARNING: DSA key found for host hostname > > > in /root/.ssh/known_hosts:12 > > > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49....... > > > > > > The authenticity of host 'hostname (10.1.2.3)' can't be > > established > > > but keys of different type are already known for this > > host. > > > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... > > > Are you sure you want to continue connecting (yes/no) > > > > > > > You must be using different keys for your server than the > > one that has > > been generated before the upgrade. Just copy your keys over > > to the new > > location and restart the server daemon and you should be > > fine. > > > > copy /etc/ssh/* -> /usr/local/etc/ssh/ > > > You didn't read that error message. Sorry I misread that. Decieving message... > > That is not the standard "key mismatch" error that you assumed it was. Look at it again - it is saying that we do have a key for this server of type DSA, but the client is receiving one of type RSA, etc. > > The keys are the same - they have not changed at all - they are just being presented to clients in the reverse order, which is confusing them and breaking automated, key-based login. > > I need to take current ssh server behavior (rsa, then dss) and change it back to the old order (dss, then rsa). Have you attempted to change that order via sshd_config and placing the DSA directive before the RSA one ? -- - (2^(N-1))