From owner-freebsd-hackers@FreeBSD.ORG Wed May 23 00:23:40 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61955106566B for ; Wed, 23 May 2012 00:23:40 +0000 (UTC) (envelope-from jusher71@yahoo.com) Received: from nm27-vm4.bullet.mail.ne1.yahoo.com (nm27-vm4.bullet.mail.ne1.yahoo.com [98.138.91.187]) by mx1.freebsd.org (Postfix) with SMTP id 23EA68FC15 for ; Wed, 23 May 2012 00:23:40 +0000 (UTC) Received: from [98.138.90.49] by nm27.bullet.mail.ne1.yahoo.com with NNFMP; 23 May 2012 00:23:34 -0000 Received: from [98.138.89.198] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 23 May 2012 00:23:34 -0000 Received: from [127.0.0.1] by omp1056.mail.ne1.yahoo.com with NNFMP; 23 May 2012 00:23:34 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 565403.46662.bm@omp1056.mail.ne1.yahoo.com Received: (qmail 66522 invoked by uid 60001); 23 May 2012 00:23:34 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1337732614; bh=C5pHQGbh+JJAC8OsyLkp3j64jfRo0goKiCbz3nS6WEU=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ucwSsMyes6E57SXF9z1bSAMdJzxNqPmJxfvYlfV6VZ1di4BRh1ZG2NAe8qje19fUIwyecfoRAbQCc1cAn2gtAHmVkI+nP7uhVT+t/aHksb4wivRnYTAa28Myjqi/CMiMQnQfWdjHTwWsvVDhSFJE7iuEKweHGXY11V9Kln+qTz0= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=dJ83trNMwh5tx8VtJ3xhbkdz7NywfTQDfoTD7AfzE6gye0K5v4R13XcAm2c/aVS9GDVvd9IyIUxJynPDI1o8rXiFrJzLuDUvv6bueNGiv6lO9N717tSgIVlPjLN7VJeCwFoJgyHWdv6WubW8INgOgl2quppx71RsCOxyWF8YNeo=; X-YMail-OSG: vQFDqMUVM1lrfH6lGMfR_FnhDvWIyUJKPLpSyy8ENj.bUAo brL19n9cp7eXzNtI.PUQTYhxefrjODtz3J3BT66MZ5r3D5PZGBRwfXF_.vN. 4McdkqkFvggPj2SWpaBMp_41oxXC31TlQEpvTEd5LtsBjm3_FQeqnTdjAQRg XgWCxx47x0i3P1vzZ5Ei_aDyc9ScLXPrin6aXn_IbKC9NJgLE1jX73PqPosr uPel_qtfB_N5M7Oq22W6wK8sOHdveQHJwWwrUU1Z0cDLMBwEiK3qQR6aIjRA r4IXlfo9U9CQIJJpQ979vcZRj9KnciKHoBaCofPY1vvg65Brh4EROrnBuYZL XJkRbCHhSlqchxkfMbZ9bQ4r2WKhWLOhf8izqEBzh6X1Rrpdmyi5ZLuTQumL fDTOw3sZ0WBN56Uq0jMJPrYT. Received: from [173.164.238.34] by web122506.mail.ne1.yahoo.com via HTTP; Tue, 22 May 2012 17:23:34 PDT X-Mailer: YahooMailClassic/15.0.6 YahooMailWebService/0.8.118.349524 Message-ID: <1337732614.39678.YahooMailClassic@web122506.mail.ne1.yahoo.com> Date: Tue, 22 May 2012 17:23:34 -0700 (PDT) From: Jason Usher To: Ian Lepore In-Reply-To: <1337713927.1116.40.camel@revolution.hippie.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Wed, 23 May 2012 00:48:55 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2012 00:23:40 -0000 =0A=0A--- On Tue, 5/22/12, Ian Lepore wrote= :=0A=0A> Seeing your example config with the commented-out HostKey=0A> line= s made me=0A> realize that you probably want to have two HostKey lines,=0A>= one for the=0A> protocol v1 key and another for the dsa key for v2.=A0=0A>= The 6.x server=0A> added the v1 key and the v2 dsa key by default, so you = could=0A> have=0A> existing clients relying on a v1 key.=A0 Since you now= =0A> have a HostKey=0A> statement the new server code won't add the v1 key = by=0A> default so you'd=0A> need to be explicit about it.=A0 =0A> =0A> Base= d on examining the code, I think this will be safe=0A> because the keys=0A>= have different type-names ("rsa1" vs "rsa") so a client=0A> wanting to use= a=0A> protocol v2 rsa key won't accidentally match the protcol v1=0A> rsa = key=0A> named in the config file (and it will still match the dsa=0A> key).= =0A=0A=0AWell, yes - and after restarting sshd, this was made clear:=0A=0AS= topping sshd.=0AStarting sshd.=0ADisabling protocol version 1. Could not lo= ad host key=0A=0AHowever, those commented out HostKey lines were always com= mented out - I did not comment them out. In fact, my change was to uncomme= nt the last one.=0A=0AFurther, I think the:=0A=0A/etc/ssh/ssh_host_key=0A= =0Akey, for protocol v1, is an RSA key, right ? But you are saying it's an= older rsa1 key ?=0A=0AOk, I will uncomment both lines now, and it will rea= d:=0A=0A# HostKey for protocol version 1=0AHostKey /etc/ssh/ssh_host_key=0A= # HostKeys for protocol version 2=0AHostKey /etc/ssh/ssh_host_dsa_key=0A=0A= I just tried it and it seems to work (no scary key mismatch messages for DS= A clients)=0A=0AThanks.