From owner-freebsd-hackers@FreeBSD.ORG Fri May 18 01:19:08 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6479A106566C for ; Fri, 18 May 2012 01:19:08 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id EC2D58FC0C for ; Fri, 18 May 2012 01:19:07 +0000 (UTC) Received: by yenl8 with SMTP id l8so3050771yen.13 for ; Thu, 17 May 2012 18:19:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=mO7wrAh9GLyuI/xQ64aX1AxIFgD2632zBvObUZGtx2Q=; b=T4BjYkw8Ms6hVWi9WpSLt918MA18YY8nC82Jq8Vtj4eaBmi/H75BiUpf/x1b8BXwrv ud5wxP3enc7LJKJLi7qnJPz2Tn+2UzgX4VeXmv1IkIUOP7ir5t6CDghbqH4XoDY+7yWY xkS8ArZKSCsVJ7CKpdB6QZOiMvKujRskiDAWw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=mO7wrAh9GLyuI/xQ64aX1AxIFgD2632zBvObUZGtx2Q=; b=a3Mr4Eajf1EQ2HFjuRuW+tUhcpiYYyl50KrDzi5OP26qaK2YJ5Fz+1M7U+hS+8OSSF YWiPo7vn4QTiTMP2UX3VmqG0es+vJhSh5h8lzWg3lvlYJsDfudVz6b1ofenPpUERLUmg +7jZtbB5cmrMMer6VjV7ojVkra9mcfBlzfghsyQvfymSlrX/KboidY0Mk8syjTCWKXSD ylzvdRFYCS3ZM3abUA0S8NKVp3yOYvWTQ/zelfYrJ8+9tcp9zhXenCxB6aHxuWa0DC0/ LPh9I7IzY+tyum+5rATM5cJDsfJInoRGETaTQSOxW+WMVJo+gSJ4hKlwKrqRB/zd/B44 SuEQ== Received: by 10.42.89.72 with SMTP id f8mr6103630icm.33.1337303946680; Thu, 17 May 2012 18:19:06 -0700 (PDT) Received: from DataIX.net (24-247-238-117.dhcp.aldl.mi.charter.com. [24.247.238.117]) by mx.google.com with ESMTPS id eo5sm12064317igc.7.2012.05.17.18.19.06 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 May 2012 18:19:06 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q4I1J4W4059176 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 May 2012 21:19:04 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q4I1J478059108; Thu, 17 May 2012 21:19:04 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Thu, 17 May 2012 21:19:04 -0400 From: Jason Hellenthal To: Jason Usher Message-ID: <20120518011904.GA82007@DataIX.net> References: <20120517232238.GA91365@DataIX.net> <1337297198.76003.YahooMailClassic@web122503.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1337297198.76003.YahooMailClassic@web122503.mail.ne1.yahoo.com> X-Gm-Message-State: ALoCoQlRGUuVFkf9FxDK4faMTSfCTQh/Io1kMFN5QsCB5WI15wRxkZDF0ll+3/aOMeHdRNFVRHaA Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2012 01:19:08 -0000 On Thu, May 17, 2012 at 04:26:38PM -0700, Jason Usher wrote: > > > --- On Thu, 5/17/12, Jason Hellenthal wrote: > > > > That is not the standard "key mismatch" error that you > > assumed it was.? Look at it again - it is saying that > > we do have a key for this server of type DSA, but the client > > is receiving one of type RSA, etc. > > > > > > The keys are the same - they have not changed at all - > > they are just being presented to clients in the reverse > > order, which is confusing them and breaking automated, > > key-based login. > > > > > > I need to take current ssh server behavior (rsa, then > > dss) and change it back to the old order (dss, then rsa). > > > > Have you attempted to change that order via sshd_config and > > placing the > > DSA directive before the RSA one ? > > > sshd_config has no such config directive. ssh_config does, but that's for clients, and I have no way to interact with the clients. > > It would indeed be very nice if this key order, which seems like a prime candidate for configuration, was a configurable option in sshd_config, but it is not. > > I am fairly certain that I need to hack up some source files, and I thought I had it with myproposal.h (see link in OP) but there must be more, because that small change does not fix things... You don't have any of this in your config ? # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /usr/local/etc/ssh/ssh_host_rsa_key #HostKey /usr/local/etc/ssh/ssh_host_dsa_key #HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key -- - (2^(N-1))