Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Dec 2009 03:55:18 -0800
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        Pete French <petefrench@ticketswitch.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: SSH oddness with 8.0-STABLE
Message-ID:  <20091201115518.GA27115@icarus.home.lan>
In-Reply-To: <E1NFR8d-000HH2-GJ@dilbert.ticketswitch.com>
References:  <20091201113547.GA26501@icarus.home.lan> <E1NFR8d-000HH2-GJ@dilbert.ticketswitch.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Dec 01, 2009 at 11:43:23AM +0000, Pete French wrote:
> > Usually the error you're seeing is indication that either the client or
> > server changed from DSA to RSA, or vice-versa.  I don't see anything in
> > /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and
> > 8.0-STABLE which would indicate this changed.
> 
> There is, however, a not on /usr/src/UPDATING about this precise
> effect. Viz:
> 
> 20080801:
>         OpenSSH has been upgraded to 5.1p1.
> 
>         For many years, FreeBSD's version of OpenSSH preferred DSA
>         over RSA for host and user authentication keys.  With this
>         upgrade, we've switched to the vendor's default of RSA over
>         DSA.  This may cause upgraded clients to warn about unknown
>         host keys even for previously known hosts.  Users should
>         follow the usual procedure for verifying host keys before
>         accepting the RSA key.
> 
>         This can be circumvented by setting the "HostKeyAlgorithms"
>         option to "ssh-dss,ssh-rsa" in ~/.ssh/config or on the ssh
>         command line.
> 
>         Please note that the sequence of keys offered for
>         authentication has been changed as well.  You may want to
>         specify IdentityFile in a different order to revert this
>         behavior.

This would indicate the OP was running a 7.2-STABLE system which was
built prior to 2008/08/01 (with some variance; sometimes the commit
times do not match the timestamp in src/UPDATING), or a system which had
not had mergemaster run on it to populate the changes into /etc/ssh.

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091201115518.GA27115>