From owner-freebsd-hackers@FreeBSD.ORG Fri May 18 20:58:08 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9201106564A for ; Fri, 18 May 2012 20:58:08 +0000 (UTC) (envelope-from jusher71@yahoo.com) Received: from nm14-vm1.bullet.mail.ne1.yahoo.com (nm14-vm1.bullet.mail.ne1.yahoo.com [98.138.91.38]) by mx1.freebsd.org (Postfix) with SMTP id 860C38FC12 for ; Fri, 18 May 2012 20:58:08 +0000 (UTC) Received: from [98.138.90.51] by nm14.bullet.mail.ne1.yahoo.com with NNFMP; 18 May 2012 20:58:02 -0000 Received: from [98.138.89.192] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 18 May 2012 20:58:02 -0000 Received: from [127.0.0.1] by omp1050.mail.ne1.yahoo.com with NNFMP; 18 May 2012 20:58:02 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 148013.46715.bm@omp1050.mail.ne1.yahoo.com Received: (qmail 63771 invoked by uid 60001); 18 May 2012 20:58:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1337374682; bh=i8poTO+AU2/JkNUTg98WVlDMX+Q0VIqrXSXghoYg+lw=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ojsc9CKosSBf3huTS1m977VrFBZ6DkdYCzij+kGM1W2J9BlwRrj/EFX3jNZ6iWaoNqxWELJiz8ZoIAKj9tn21YmiilwHKW7vV5n9OFSZEXBCACyeR9Vyp6NuOAq8CqyYCPYC2TfMVLNzfc6VPMFCfzlVs9GIIBaUaMTpq6BP/EY= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=O8KqRvAaje23sM0wruxxqz5VDqhFKkmL/wSFHMcynHcBFzHHP4hUZy07Y9iLCVQyBI/NdsW4N1uAaOTa0nZISWy+LCJoCATOOT2hs7/54bPtaaF3dzn3TSRvnkeXw+LCv0WOWRGH/9cJcQ2f0R2WFF0lhJ9f5tGDgWGoIBtSklk=; X-YMail-OSG: eP_XITkVM1nFwmRqZCovXaJFWT4t057tM0LMnO6PPNRh1Vz cvlLIDgxQPmzK7fuUa30PeV02tI8tNIRqkd5PxrrOKUkObqWsUc8ON6qV73u BrinUmPEUukreusSLwTSrP9hxnXmflvjI9tX80EgINmvQf7GMWzv9Eke9A5y ymou7lwVabOq5c6GC2HDPNCh_RFVIDbiqPQQrtJ9XsttA284Zs47B0gsrGGz ysBz6C4yOrvTw_tgDO3yZL79mOSqbcyEuubkZHAmwlSsdY2TRZw.50MQ5ehK 6NADNqRPqPpi8pG4Hm4OntnC8ETXo_2L8SlFfDZchC.aNBIbHy8KUvQj0L25 5Bk.nFN6dyUh7aO2KiJzpQlhEEm54wlwUEa3acsFWZGb2K0DZbVdyFrSi36o UbwEljngtc2BdVkNkSrubpvpNooHRUsxnAeqsMlEeE18S5WIwuw-- Received: from [173.164.238.34] by web122504.mail.ne1.yahoo.com via HTTP; Fri, 18 May 2012 13:58:01 PDT X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524 Message-ID: <1337374681.54894.YahooMailClassic@web122504.mail.ne1.yahoo.com> Date: Fri, 18 May 2012 13:58:01 -0700 (PDT) From: Jason Usher To: Jason Hellenthal In-Reply-To: <20120518011904.GA82007@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 18 May 2012 21:11:20 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 May 2012 20:58:09 -0000 =0A=0A--- On Thu, 5/17/12, Jason Hellenthal wrote:= =0A=0A> On Thu, May 17, 2012 at 04:26:38PM -0700, Jason Usher=0A> wrote:=0A= > > =0A> > =0A> > --- On Thu, 5/17/12, Jason Hellenthal =0A> wrote:=0A> > =0A> > > > That is not the standard "key mismatch" e= rror=0A> that you=0A> > > assumed it was.? Look at it again - it is saying= =0A> that=0A> > > we do have a key for this server of type DSA, but=0A> the= client=0A> > > is receiving one of type RSA, etc.=0A> > > > =0A> > > > The= keys are the same - they have not changed=0A> at all -=0A> > > they are ju= st being presented to clients in the=0A> reverse=0A> > > order, which is co= nfusing them and breaking=0A> automated,=0A> > > key-based login.=0A> > > >= =0A> > > > I need to take current ssh server behavior=0A> (rsa, then=0A> >= > dss) and change it back to the old order (dss,=0A> then rsa).=0A> > > = =0A> > > Have you attempted to change that order via=0A> sshd_config and=0A= > > > placing the=0A> > > DSA directive before the RSA one ?=0A> > =0A> > = =0A> > sshd_config has no such config directive.=A0=0A> ssh_config does, bu= t that's for clients, and I have no way=0A> to interact with the clients.= =0A> > =0A> > It would indeed be very nice if this key order, which=0A> see= ms like a prime candidate for configuration, was a=0A> configurable option = in sshd_config, but it is not.=0A> > =0A> > I am fairly certain that I need= to hack up some source=0A> files, and I thought I had it with myproposal.h= (see link in=0A> OP) but there must be more, because that small change doe= s=0A> not fix things...=0A> =0A> You don't have any of this in your config = ?=0A> =0A> # HostKey for protocol version 1=0A> #HostKey /usr/local/etc/ssh= /ssh_host_key=0A> # HostKeys for protocol version 2=0A> HostKey /usr/local/= etc/ssh/ssh_host_rsa_key=0A> #HostKey /usr/local/etc/ssh/ssh_host_dsa_key= =0A> #HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key=0A=0A=0AYes, but that d= oesn't help, for reasons I mentioned earlier.=0A=0ASimply removing RSA func= tionality would (of course) cause it to stop presenting RSA keys first, but= what about clients who (for whatever reason, who knows) negotiated RSA key= s previously ? Then they would break.=0A=0AThis is a very simple requireme= nt:=0A=0AOpenSSH server used to present keys in the order: DSA first, then= RSA. I need to get back to that same behavior.=0A=0AHow do I do that ?