conf/149343: sshd silently switches to RSA in 8.x and 9.x [patch
for mergemaster]
Mikhail T.
mi at aldan.algebra.com
Thu Aug 5 20:00:21 UTC 2010
>Number: 149343
>Category: conf
>Synopsis: sshd silently switches to RSA in 8.x and 9.x [patch for mergemaster]
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 05 20:00:20 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Mikhail T.
>Release: FreeBSD 8.1-PRERELEASE amd64
>Organization:
Virtual Estates, Inc. http://sybpipe.com/
>Environment:
FreeBSD aldan.narawntapu 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Mon Jul 5 00:51:57 EDT 2010 root at aldan.narawntapu:/meow/obj/var/src/sys/SILVER-SMP amd64
>Description:
Unlike in earlier versions, in 8.x (and 9.x) sshd uses RSA hostkeys instead of DSA by default. Buffling as it may be to regular users, according to des: "It had to happen. There is nothing to resolve. Move along."
Unsatisfying words, for when an existing installation is upgraded, this point is very easy to miss, because the UPDATING-entry on the subject is 2 years old. Unfortunately, this may be troublesome to those, who use automated ssh-based
jobs, as those jobs would now hang. Interactive ssh-connections would prompt the user to accept the new (RSA-based) host-keys, as just happened on freefall, for example.
For the old behavior (using DSA) to continue, the DSA HostKey must now be specified explicitly. This is something, mergemaster can do -- in some cases...
>How-To-Repeat:
Upgrade from 7.x to 8.x. Try to ssh into the upgraded system. Witness the warning about new host key (along with warning, that the key of a different type is already known for that host).
>Fix:
This patch is the best I can come up with my limited knowledge of mergemaster. It does not catch all cases -- such as when the only differences are in RCS-tags and the -F is used...
Patch attached with submission follows:
Index: mergemaster.sh
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mergemaster/mergemaster.sh,v
retrieving revision 1.72.2.6
diff -U 2 -r1.72.2.6 mergemaster.sh
--- mergemaster.sh 20 May 2010 22:12:36 -0000 1.72.2.6
+++ mergemaster.sh 5 Aug 2010 18:22:18 -0000
@@ -860,4 +860,53 @@
DONT_INSTALL=yes
;;
+ /etc/ssh/sshd_config)
+ # If some HostKey is already explicitly set, we don't worry
+ if grep ^HostKey "$COMPFILE"
+ then
+ do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+ return
+ fi
+ fmt << EOWARNING
+*** Note, when upgrading to 8.x. For many years FreeBSD's sshd
+ installations used DSA-keys by default. The 8.x branch reverts
+ to the vendor's behavior of using RSA by default. This may
+ cause connecting clients to stall with the "new host key"
+ warnings. To continue to use DSA, ${1#.} has to explictly
+ set HostKey to point to your DSA-key file.
+
+EOWARNING
+ if [ `egrep -c '^#HostKey\s*.*_dsa_key$' $COMPFILE` != 1 ]
+ then
+ fmt << EOWARNING
+ Unfortunately, the $COMPFILE is more complex then what can be
+ automatically fixed by this script.
+
+EOWARNING
+ do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+ return
+ fi
+ cat << EOMENU
+ Use 'f' to try to automatically fix ${1#.} before installing
+ Use 'i' to just install it as is.
+ Default is to leave the temporary file to deal with by hand
+
+EOMENU
+ read -p " How should I handle ${COMPFILE}? [Leave it to install later] " \
+ HANDLE_HOST_KEY
+
+ case "$HANDLE_HOST_KEY" in
+ [fF]*)
+ sed -i"" -e 's|#\(HostKey\s*.*_dsa_key.*\)|\1|' $COMPFILE
+ ;;
+ [iI]*)
+ ;;
+ default)
+ echo " *** ${COMPFILE} will remain for your consideration"
+ return
+ ;;
+ esac
+ do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+ return
+ ;;
/.cshrc | /.profile)
local st_nlink
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list