DragonFly bugs List (threaded) for 2009-01
Re: sshd appears to be broken when both host rsa and dsa key file present
On Sun, Jan 25, 2009 at 06:50:22PM -0800, Matthew Dillon wrote:
> I think YONETANI reported this a few months ago, but it just started
> happening to me when I upgraded pkgbox.
> Something is ignoring the host DSA key when a host RSA key is presenting,
> causing a mismatch with a pre-existing known_hosts file.
> If I were to say 'yes', then RSA host key would be recorded in my
> known_hosts file.
> If I remove the RSA host key file on the server and restart sshd, then
> the client properly negotiates using the DSA host key.
> Anyone have any ideas?
Seems like the import of openssh-5.1 reverted the order of the default
hostkey algorithm proposal, which has been part of FreeBSD-local
preferences for many years:
diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h
index 8bdad7b..87a9e58 100644
@@ -40,7 +40,7 @@
-#define KEX_DEFAULT_PK_ALG "ssh-dss,ssh-rsa"
+#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \
Note that FreeBSD also got rid of this local change about a month
earlier than we did:
So the quick workaround(if you still prefer DSA over RSA) is
to add the following in /etc/ssh_config on ssh clients
or to make it per-user, add the following two lines in ~/.ssh/config
Host foo # or use * if you want to apply any hosts