Need to revert behavior of OpenSSH to the old key order ...

[Jason Usher]

--- On Tue, 5/22/12, Ian Lepore <freebsd at damnhippie.dyndns.org> wrote:

> Seeing your example config with the commented-out HostKey
> lines made me
> realize that you probably want to have two HostKey lines,
> one for the
> protocol v1 key and another for the dsa key for v2. 
> The 6.x server
> added the v1 key and the v2 dsa key by default, so you could
> have
> existing clients relying on a v1 key.  Since you now
> have a HostKey
> statement the new server code won't add the v1 key by
> default so you'd
> need to be explicit about it.  
> 
> Based on examining the code, I think this will be safe
> because the keys
> have different type-names ("rsa1" vs "rsa") so a client
> wanting to use a
> protocol v2 rsa key won't accidentally match the protcol v1
> rsa key
> named in the config file (and it will still match the dsa
> key).


Well, yes - and after restarting sshd, this was made clear:

Stopping sshd.
Starting sshd.
Disabling protocol version 1. Could not load host key

However, those commented out HostKey lines were always commented out - I did not comment them out.  In fact, my change was to uncomment the last one.

Further, I think the:

/etc/ssh/ssh_host_key

key, for protocol v1, is an RSA key, right ?  But you are saying it's an older rsa1 key ?

Ok, I will uncomment both lines now, and it will read:

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_dsa_key

I just tried it and it seems to work (no scary key mismatch messages for DSA clients)

Thanks.