Need to revert behavior of OpenSSH to the old key order ...
Jason Usher
jusher71 at yahoo.com
Mon May 21 16:18:38 UTC 2012
Folks,
Is there a better list for this - perhaps freebsd-security ?
I originally posted to -hackers because it *appears* that reverting "rsa, then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but since that doesn't work, and since I haven't gotten any replies here ...
Thoughts ?
--- On Thu, 5/17/12, Jason Hellenthal <jhellenthal at dataix.net> wrote:
> > > > I have some old 6.x FreeBSD systems that need
> their
> > > OpenSSH upgraded.
> > > >
> > > > Everything goes just fine, but when I am
> done, existing
> > > clients are now presented with this message:
> > > >
> > > >
> > > > WARNING: DSA key found for host hostname
> > > > in /root/.ssh/known_hosts:12
> > > > DSA key fingerprint
> 4c:29:4b:6e:b8:6b:fa:49.......
> > > >
> > > > The authenticity of host 'hostname
> (10.1.2.3)' can't be
> > > established
> > > > but keys of different type are already known
> for this
> > > host.
> > > > RSA key fingerprint is
> a3:22:3d:cf:f2:46:09:f2......
> > > > Are you sure you want to continue connecting
> (yes/no)
> > > >
> > >
> > > You must be using different keys for your server
> than the
> > > one that has
> > > been generated before the upgrade. Just copy your
> keys over
> > > to the new
> > > location and restart the server daemon and you
> should be
> > > fine.
> > >
> > > copy /etc/ssh/* -> /usr/local/etc/ssh/
> >
> >
> > You didn't read that error message.
>
> Sorry I misread that. Decieving message...
>
> >
> > That is not the standard "key mismatch" error that you
> assumed it was. Look at it again - it is saying that
> we do have a key for this server of type DSA, but the client
> is receiving one of type RSA, etc.
> >
> > The keys are the same - they have not changed at all -
> they are just being presented to clients in the reverse
> order, which is confusing them and breaking automated,
> key-based login.
> >
> > I need to take current ssh server behavior (rsa, then
> dss) and change it back to the old order (dss, then rsa).
>
> Have you attempted to change that order via sshd_config and
> placing the
> DSA directive before the RSA one ?
>
>
> --
>
> - (2^(N-1))
>
More information about the freebsd-hackers
mailing list