Date: Mon, 21 May 2012 09:18:32 -0700 (PDT) From: Jason Usher <jusher71@yahoo.com> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Need to revert behavior of OpenSSH to the old key order ... Message-ID: <1337617112.24292.YahooMailClassic@web122505.mail.ne1.yahoo.com> In-Reply-To: <20120517232238.GA91365@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help
=0AFolks,=0A=0AIs there a better list for this - perhaps freebsd-security ?= =0A=0AI originally posted to -hackers because it *appears* that reverting "= rsa, then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but = since that doesn't work, and since I haven't gotten any replies here ...=0A= =0AThoughts ?=0A=0A=0A--- On Thu, 5/17/12, Jason Hellenthal <jhellenthal@da= taix.net> wrote:=0A=0A> > > > I have some old 6.x FreeBSD systems that need= =0A> their=0A> > > OpenSSH upgraded.=0A> > > > =0A> > > > Everything goes j= ust fine, but when I am=0A> done, existing=0A> > > clients are now presente= d with this message:=0A> > > > =0A> > > > =0A> > > > WARNING: DSA key found= for host hostname=0A> > > > in /root/.ssh/known_hosts:12=0A> > > > DSA key= fingerprint=0A> 4c:29:4b:6e:b8:6b:fa:49.......=0A> > > > =0A> > > > The au= thenticity of host 'hostname=0A> (10.1.2.3)' can't be=0A> > > established= =0A> > > > but keys of different type are already known=0A> for this=0A> > = > host.=0A> > > > RSA key fingerprint is=0A> a3:22:3d:cf:f2:46:09:f2......= =0A> > > > Are you sure you want to continue connecting=0A> (yes/no)=0A> > = > > =0A> > > =0A> > > You must be using different keys for your server=0A> = than the=0A> > > one that has=0A> > > been generated before the upgrade. Ju= st copy your=0A> keys over=0A> > > to the new=0A> > > location and restart = the server daemon and you=0A> should be=0A> > > fine.=0A> > > =0A> > > copy= /etc/ssh/* -> /usr/local/etc/ssh/=0A> > =0A> > =0A> > You didn't read that= error message.=0A> =0A> Sorry I misread that. Decieving message...=0A> =0A= > > =0A> > That is not the standard "key mismatch" error that you=0A> assum= ed it was.=A0 Look at it again - it is saying that=0A> we do have a key for= this server of type DSA, but the client=0A> is receiving one of type RSA, = etc.=0A> > =0A> > The keys are the same - they have not changed at all -=0A= > they are just being presented to clients in the reverse=0A> order, which = is confusing them and breaking automated,=0A> key-based login.=0A> > =0A> >= I need to take current ssh server behavior (rsa, then=0A> dss) and change = it back to the old order (dss, then rsa).=0A> =0A> Have you attempted to ch= ange that order via sshd_config and=0A> placing the=0A> DSA directive befor= e the RSA one ?=0A> =0A> =0A> -- =0A> =0A> - (2^(N-1))=0A>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1337617112.24292.YahooMailClassic>