Need to revert behavior of OpenSSH to the old key order ...
Jason Hellenthal
jhellenthal at dataix.net
Mon May 21 17:17:51 UTC 2012
On Mon, May 21, 2012 at 09:18:32AM -0700, Jason Usher wrote:
>
> Folks,
>
> Is there a better list for this - perhaps freebsd-security ?
>
> I originally posted to -hackers because it *appears* that reverting "rsa, then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but since that doesn't work, and since I haven't gotten any replies here ...
>
> Thoughts ?
OpenBSD ?
http://www.openssh.org/list.html
>
>
> --- On Thu, 5/17/12, Jason Hellenthal <jhellenthal at dataix.net> wrote:
>
> > > > > I have some old 6.x FreeBSD systems that need
> > their
> > > > OpenSSH upgraded.
> > > > >
> > > > > Everything goes just fine, but when I am
> > done, existing
> > > > clients are now presented with this message:
> > > > >
> > > > >
> > > > > WARNING: DSA key found for host hostname
> > > > > in /root/.ssh/known_hosts:12
> > > > > DSA key fingerprint
> > 4c:29:4b:6e:b8:6b:fa:49.......
> > > > >
> > > > > The authenticity of host 'hostname
> > (10.1.2.3)' can't be
> > > > established
> > > > > but keys of different type are already known
> > for this
> > > > host.
> > > > > RSA key fingerprint is
> > a3:22:3d:cf:f2:46:09:f2......
> > > > > Are you sure you want to continue connecting
> > (yes/no)
> > > > >
> > > >
> > > > You must be using different keys for your server
> > than the
> > > > one that has
> > > > been generated before the upgrade. Just copy your
> > keys over
> > > > to the new
> > > > location and restart the server daemon and you
> > should be
> > > > fine.
> > > >
> > > > copy /etc/ssh/* -> /usr/local/etc/ssh/
> > >
> > >
> > > You didn't read that error message.
> >
> > Sorry I misread that. Decieving message...
> >
> > >
> > > That is not the standard "key mismatch" error that you
> > assumed it was. Look at it again - it is saying that
> > we do have a key for this server of type DSA, but the client
> > is receiving one of type RSA, etc.
> > >
> > > The keys are the same - they have not changed at all -
> > they are just being presented to clients in the reverse
> > order, which is confusing them and breaking automated,
> > key-based login.
> > >
> > > I need to take current ssh server behavior (rsa, then
> > dss) and change it back to the old order (dss, then rsa).
> >
> > Have you attempted to change that order via sshd_config and
> > placing the
> > DSA directive before the RSA one ?
> >
> >
> > --
> >
> > - (2^(N-1))
> >
--
- (2^(N-1))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20120521/ac5f57b6/attachment.pgp
More information about the freebsd-hackers
mailing list