From owner-freebsd-hackers@FreeBSD.ORG Thu May 17 23:06:40 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 84EF3106564A for ; Thu, 17 May 2012 23:06:40 +0000 (UTC) (envelope-from jusher71@yahoo.com) Received: from nm6-vm3.bullet.mail.ne1.yahoo.com (nm6-vm3.bullet.mail.ne1.yahoo.com [98.138.91.136]) by mx1.freebsd.org (Postfix) with SMTP id 39D9B8FC15 for ; Thu, 17 May 2012 23:06:17 +0000 (UTC) Received: from [98.138.90.50] by nm6.bullet.mail.ne1.yahoo.com with NNFMP; 17 May 2012 23:06:11 -0000 Received: from [98.138.89.172] by tm3.bullet.mail.ne1.yahoo.com with NNFMP; 17 May 2012 23:06:11 -0000 Received: from [127.0.0.1] by omp1028.mail.ne1.yahoo.com with NNFMP; 17 May 2012 23:06:11 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 600052.8968.bm@omp1028.mail.ne1.yahoo.com Received: (qmail 10531 invoked by uid 60001); 17 May 2012 23:06:11 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1337295971; bh=9y7DYA2FCuNNE4Y7NA2Q+DU3RQceqJgju0zZt8QDaE4=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=vB6DIKn5eLNPDnYG7O+pnYLTNj8m+Fl6oiMXBacpBavle/z1fW9pwwx07yIgw7+0ot9lJAvetW5HyZEOtSA2G/8QqeljWsojgkuB3A1jVESfySf7revwEwIitQixgn/rNo22EQgSDyml8KB2JMSWwHnWP8c/155px65F+JOyrIg= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=v+TJPSrW8dTN5dfl1gTvOc1n+nNSKt8CcLVG5eaxiuzlmpOGLRgjcXtauvsuWnH5uKFO49eLoxTmIqxVmyABj87L6dA2hrZa6PH4cWw4ROBzFiUW/2/3lp8yluwlyHhe2B2X4ERBY56cB5KXmSFsFz+W5rhnICaJx9THFUZthOk=; X-YMail-OSG: fnr2PAEVM1npm61GPm4xiNBF7CJNXMIYOcpipZDB4HX6W9Q OmUEgNpvYDk53rUdvuRFD5X.2AAbfQyE9yOFJIuRtRVx7mQux6ZN34AclHFa 1Z5FcE_9Z0wQsLgBvomu0VAFLif5GVH5Dp_b2Ypr60wxmNidO_bPa5gAMhpB fA3PQ2a578twvWNZ3J_FWcHwModiu3bTxeOa_VTokfhpjhnzuyMa4ezFt96f s5Ky6BBJT.XwTVfN8iMvYo64L5yRsTOXcoyulz0ON2J5mc2NLYYoV7idvF7w QT4KDAZ59rVACwnkFCfkQ_lIF051tNW5JF9csyAsoSVjqZivXy4oKfmdS8ha oc1FpKlC8yDAop6YDmaj27uTXiB6LekZl.ppxk0vET7V7n32VU7hGNL4aWfr gucgNZOKbG5ghOZIO3IoJravdv6N_rNRZo1NPLUrjGdDO4y4cNQ-- Received: from [173.164.238.34] by web122505.mail.ne1.yahoo.com via HTTP; Thu, 17 May 2012 16:06:11 PDT X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524 Message-ID: <1337295971.82236.YahooMailClassic@web122505.mail.ne1.yahoo.com> Date: Thu, 17 May 2012 16:06:11 -0700 (PDT) From: Jason Usher To: Jason Hellenthal In-Reply-To: <20120517221709.GA47168@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 18 May 2012 02:37:23 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2012 23:06:40 -0000 --- On Thu, 5/17/12, Jason Hellenthal wrote: > On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher > wrote: > > I have some old 6.x FreeBSD systems that need their > OpenSSH upgraded. > > > > Everything goes just fine, but when I am done, existing > clients are now presented with this message: > > > > > > WARNING: DSA key found for host hostname > > in /root/.ssh/known_hosts:12 > > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49....... > > > > The authenticity of host 'hostname (10.1.2.3)' can't be > established > > but keys of different type are already known for this > host. > > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... > > Are you sure you want to continue connecting (yes/no) > > > > You must be using different keys for your server than the > one that has > been generated before the upgrade. Just copy your keys over > to the new > location and restart the server daemon and you should be > fine. > > copy /etc/ssh/* -> /usr/local/etc/ssh/ You didn't read that error message. That is not the standard "key mismatch" error that you assumed it was. Look at it again - it is saying that we do have a key for this server of type DSA, but the client is receiving one of type RSA, etc. The keys are the same - they have not changed at all - they are just being presented to clients in the reverse order, which is confusing them and breaking automated, key-based login. I need to take current ssh server behavior (rsa, then dss) and change it back to the old order (dss, then rsa).