Need to revert behavior of OpenSSH to the old key order ...
Jason Hellenthal
jhellenthal at dataix.net
Thu May 17 23:22:43 UTC 2012
On Thu, May 17, 2012 at 04:06:11PM -0700, Jason Usher wrote:
>
>
> --- On Thu, 5/17/12, Jason Hellenthal <jhellenthal at dataix.net> wrote:
>
> > On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher
> > wrote:
> > > I have some old 6.x FreeBSD systems that need their
> > OpenSSH upgraded.
> > >
> > > Everything goes just fine, but when I am done, existing
> > clients are now presented with this message:
> > >
> > >
> > > WARNING: DSA key found for host hostname
> > > in /root/.ssh/known_hosts:12
> > > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49.......
> > >
> > > The authenticity of host 'hostname (10.1.2.3)' can't be
> > established
> > > but keys of different type are already known for this
> > host.
> > > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2......
> > > Are you sure you want to continue connecting (yes/no)
> > >
> >
> > You must be using different keys for your server than the
> > one that has
> > been generated before the upgrade. Just copy your keys over
> > to the new
> > location and restart the server daemon and you should be
> > fine.
> >
> > copy /etc/ssh/* -> /usr/local/etc/ssh/
>
>
> You didn't read that error message.
Sorry I misread that. Decieving message...
>
> That is not the standard "key mismatch" error that you assumed it was. Look at it again - it is saying that we do have a key for this server of type DSA, but the client is receiving one of type RSA, etc.
>
> The keys are the same - they have not changed at all - they are just being presented to clients in the reverse order, which is confusing them and breaking automated, key-based login.
>
> I need to take current ssh server behavior (rsa, then dss) and change it back to the old order (dss, then rsa).
Have you attempted to change that order via sshd_config and placing the
DSA directive before the RSA one ?
--
- (2^(N-1))
More information about the freebsd-hackers
mailing list