SSH oddness with 8.0-STABLE

Jeremy Chadwick freebsd at
Tue Dec 1 11:55:25 UTC 2009

On Tue, Dec 01, 2009 at 11:43:23AM +0000, Pete French wrote:
> > Usually the error you're seeing is indication that either the client or
> > server changed from DSA to RSA, or vice-versa.  I don't see anything in
> > /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and
> > 8.0-STABLE which would indicate this changed.
> There is, however, a not on /usr/src/UPDATING about this precise
> effect. Viz:
> 20080801:
>         OpenSSH has been upgraded to 5.1p1.
>         For many years, FreeBSD's version of OpenSSH preferred DSA
>         over RSA for host and user authentication keys.  With this
>         upgrade, we've switched to the vendor's default of RSA over
>         DSA.  This may cause upgraded clients to warn about unknown
>         host keys even for previously known hosts.  Users should
>         follow the usual procedure for verifying host keys before
>         accepting the RSA key.
>         This can be circumvented by setting the "HostKeyAlgorithms"
>         option to "ssh-dss,ssh-rsa" in ~/.ssh/config or on the ssh
>         command line.
>         Please note that the sequence of keys offered for
>         authentication has been changed as well.  You may want to
>         specify IdentityFile in a different order to revert this
>         behavior.

This would indicate the OP was running a 7.2-STABLE system which was
built prior to 2008/08/01 (with some variance; sometimes the commit
times do not match the timestamp in src/UPDATING), or a system which had
not had mergemaster run on it to populate the changes into /etc/ssh.

| Jeremy Chadwick                                   jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list