Date: Fri, 18 May 2012 13:58:01 -0700 (PDT) From: Jason Usher <jusher71@yahoo.com> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... Message-ID: <1337374681.54894.YahooMailClassic@web122504.mail.ne1.yahoo.com> In-Reply-To: <20120518011904.GA82007@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help
=0A=0A--- On Thu, 5/17/12, Jason Hellenthal <jhellenthal@dataix.net> wrote:= =0A=0A> On Thu, May 17, 2012 at 04:26:38PM -0700, Jason Usher=0A> wrote:=0A= > > =0A> > =0A> > --- On Thu, 5/17/12, Jason Hellenthal <jhellenthal@dataix= .net>=0A> wrote:=0A> > =0A> > > > That is not the standard "key mismatch" e= rror=0A> that you=0A> > > assumed it was.? Look at it again - it is saying= =0A> that=0A> > > we do have a key for this server of type DSA, but=0A> the= client=0A> > > is receiving one of type RSA, etc.=0A> > > > =0A> > > > The= keys are the same - they have not changed=0A> at all -=0A> > > they are ju= st being presented to clients in the=0A> reverse=0A> > > order, which is co= nfusing them and breaking=0A> automated,=0A> > > key-based login.=0A> > > >= =0A> > > > I need to take current ssh server behavior=0A> (rsa, then=0A> >= > dss) and change it back to the old order (dss,=0A> then rsa).=0A> > > = =0A> > > Have you attempted to change that order via=0A> sshd_config and=0A= > > > placing the=0A> > > DSA directive before the RSA one ?=0A> > =0A> > = =0A> > sshd_config has no such config directive.=A0=0A> ssh_config does, bu= t that's for clients, and I have no way=0A> to interact with the clients.= =0A> > =0A> > It would indeed be very nice if this key order, which=0A> see= ms like a prime candidate for configuration, was a=0A> configurable option = in sshd_config, but it is not.=0A> > =0A> > I am fairly certain that I need= to hack up some source=0A> files, and I thought I had it with myproposal.h= (see link in=0A> OP) but there must be more, because that small change doe= s=0A> not fix things...=0A> =0A> You don't have any of this in your config = ?=0A> =0A> # HostKey for protocol version 1=0A> #HostKey /usr/local/etc/ssh= /ssh_host_key=0A> # HostKeys for protocol version 2=0A> HostKey /usr/local/= etc/ssh/ssh_host_rsa_key=0A> #HostKey /usr/local/etc/ssh/ssh_host_dsa_key= =0A> #HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key=0A=0A=0AYes, but that d= oesn't help, for reasons I mentioned earlier.=0A=0ASimply removing RSA func= tionality would (of course) cause it to stop presenting RSA keys first, but= what about clients who (for whatever reason, who knows) negotiated RSA key= s previously ? Then they would break.=0A=0AThis is a very simple requireme= nt:=0A=0AOpenSSH server used to present keys in the order: DSA first, then= RSA. I need to get back to that same behavior.=0A=0AHow do I do that ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337374681.54894.YahooMailClassic>