SSH oddness with 8.0-STABLE
Jeremy Chadwick
freebsd at jdc.parodius.com
Tue Dec 1 11:55:25 UTC 2009
On Tue, Dec 01, 2009 at 11:43:23AM +0000, Pete French wrote:
> > Usually the error you're seeing is indication that either the client or
> > server changed from DSA to RSA, or vice-versa. I don't see anything in
> > /etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and
> > 8.0-STABLE which would indicate this changed.
>
> There is, however, a not on /usr/src/UPDATING about this precise
> effect. Viz:
>
> 20080801:
> OpenSSH has been upgraded to 5.1p1.
>
> For many years, FreeBSD's version of OpenSSH preferred DSA
> over RSA for host and user authentication keys. With this
> upgrade, we've switched to the vendor's default of RSA over
> DSA. This may cause upgraded clients to warn about unknown
> host keys even for previously known hosts. Users should
> follow the usual procedure for verifying host keys before
> accepting the RSA key.
>
> This can be circumvented by setting the "HostKeyAlgorithms"
> option to "ssh-dss,ssh-rsa" in ~/.ssh/config or on the ssh
> command line.
>
> Please note that the sequence of keys offered for
> authentication has been changed as well. You may want to
> specify IdentityFile in a different order to revert this
> behavior.
This would indicate the OP was running a 7.2-STABLE system which was
built prior to 2008/08/01 (with some variance; sometimes the commit
times do not match the timestamp in src/UPDATING), or a system which had
not had mergemaster run on it to populate the changes into /etc/ssh.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list