Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 May 2012 16:06:11 -0700 (PDT)
From:      Jason Usher <jusher71@yahoo.com>
To:        Jason Hellenthal <jhellenthal@dataix.net>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Need to revert behavior of OpenSSH to the old key order ...
Message-ID:  <1337295971.82236.YahooMailClassic@web122505.mail.ne1.yahoo.com>
In-Reply-To: <20120517221709.GA47168@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help 


--- On Thu, 5/17/12, Jason Hellenthal <jhellenthal@dataix.net> wrote:

> On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher
> wrote:
> > I have some old 6.x FreeBSD systems that need their
> OpenSSH upgraded.
> > 
> > Everything goes just fine, but when I am done, existing
> clients are now presented with this message:
> > 
> > 
> > WARNING: DSA key found for host hostname
> > in /root/.ssh/known_hosts:12
> > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49.......
> > 
> > The authenticity of host 'hostname (10.1.2.3)' can't be
> established
> > but keys of different type are already known for this
> host.
> > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2......
> > Are you sure you want to continue connecting (yes/no)
> > 
> 
> You must be using different keys for your server than the
> one that has
> been generated before the upgrade. Just copy your keys over
> to the new
> location and restart the server daemon and you should be
> fine.
> 
> copy /etc/ssh/* -> /usr/local/etc/ssh/


You didn't read that error message.

That is not the standard "key mismatch" error that you assumed it was.  Look at it again - it is saying that we do have a key for this server of type DSA, but the client is receiving one of type RSA, etc.

The keys are the same - they have not changed at all - they are just being presented to clients in the reverse order, which is confusing them and breaking automated, key-based login.

I need to take current ssh server behavior (rsa, then dss) and change it back to the old order (dss, then rsa).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337295971.82236.YahooMailClassic>