Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 May 2012 17:23:34 -0700 (PDT)
From:      Jason Usher <jusher71@yahoo.com>
To:        Ian Lepore <freebsd@damnhippie.dyndns.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Need to revert behavior of OpenSSH to the old key order ...
Message-ID:  <1337732614.39678.YahooMailClassic@web122506.mail.ne1.yahoo.com>
In-Reply-To: <1337713927.1116.40.camel@revolution.hippie.lan>
index | next in thread | previous in thread | raw e-mail 



--- On Tue, 5/22/12, Ian Lepore <freebsd@damnhippie.dyndns.org> wrote:

> Seeing your example config with the commented-out HostKey
> lines made me
> realize that you probably want to have two HostKey lines,
> one for the
> protocol v1 key and another for the dsa key for v2. 
> The 6.x server
> added the v1 key and the v2 dsa key by default, so you could
> have
> existing clients relying on a v1 key.  Since you now
> have a HostKey
> statement the new server code won't add the v1 key by
> default so you'd
> need to be explicit about it.  
> 
> Based on examining the code, I think this will be safe
> because the keys
> have different type-names ("rsa1" vs "rsa") so a client
> wanting to use a
> protocol v2 rsa key won't accidentally match the protcol v1
> rsa key
> named in the config file (and it will still match the dsa
> key).


Well, yes - and after restarting sshd, this was made clear:

Stopping sshd.
Starting sshd.
Disabling protocol version 1. Could not load host key

However, those commented out HostKey lines were always commented out - I did not comment them out.  In fact, my change was to uncomment the last one.

Further, I think the:

/etc/ssh/ssh_host_key

key, for protocol v1, is an RSA key, right ?  But you are saying it's an older rsa1 key ?

Ok, I will uncomment both lines now, and it will read:

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_dsa_key

I just tried it and it seems to work (no scary key mismatch messages for DSA clients)

Thanks.
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337732614.39678.YahooMailClassic>