sshd appears to be broken when both host rsa and dsa key file present

Jeremy Chadwick jdc at parodius.com
Sun Jan 25 22:22:12 PST 2009


On Mon, Jan 26, 2009 at 03:05:47PM +0900, YONETANI Tomokazu wrote:
> On Sun, Jan 25, 2009 at 06:50:22PM -0800, Matthew Dillon wrote:
> >     I think YONETANI reported this a few months ago, but it just started
> >     happening to me when I upgraded pkgbox.
> > 
> >     Something is ignoring the host DSA key when a host RSA key is presenting,
> >     causing a mismatch with a pre-existing known_hosts file.
> > 
> >     If I were to say 'yes', then RSA host key would be recorded in my
> >     known_hosts file.
> > 
> >     If I remove the RSA host key file on the server and restart sshd, then
> >     the client properly negotiates using the DSA host key.
> > 
> >     Anyone have any ideas?
> > 
> > 						-Matt
> 
> Seems like the import of openssh-5.1 reverted the order of the default
> hostkey algorithm proposal, which has been part of FreeBSD-local
> preferences for many years:
>   diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h
>   index 8bdad7b..87a9e58 100644
>   --- a/crypto/openssh-5/myproposal.h
>   +++ b/crypto/openssh-5/myproposal.h
>   @@ -40,7 +40,7 @@
> 	  "diffie-hellman-group1-sha1"
>    #endif
>    
>   -#define KEX_DEFAULT_PK_ALG	"ssh-dss,ssh-rsa"
>   +#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
>    #define	KEX_DEFAULT_ENCRYPT \
> 	  "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
> 	  "arcfour128,arcfour256,arcfour," \
> 
> Note that FreeBSD also got rid of this local change about a month
> earlier than we did:
>   http://docs.freebsd.org/cgi/mid.cgi?200808010253.m712raNF004286
> 
> So the quick workaround(if you still prefer DSA over RSA) is
> to add the following in /etc/ssh_config on ssh clients
> 
>   HostKeyAlgorithms	ssh-dsa,ssh-rsa

This should read:

   HostKeyAlgorithms	ssh-dss,ssh-rsa

(-dss, not -dsa).

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |






More information about the Bugs mailing list