DragonFly users List (threaded) for 2008-10
DragonFly BSD
DragonFly users List (threaded) for 2008-10
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

openssh-5.1 problem?


From: YONETANI Tomokazu <qhwt+dfly@xxxxxxxxxx>
Date: Sun, 12 Oct 2008 16:35:16 +0900

Hello.
After openssh has been updated to openssh-5.1p1, slogin'ing to that host
from another machine using DSA key stopped working:
  WARNING: DSA key found for host vmware
  in /home/yonetani/.ssh/known_hosts:3
  DSA key fingerprint 0a:73:33:d7:73:ff:e9:4f:60:e4:de:e1:5b:ec:b6:4d.
  [strange AA omitted]

  The authenticity of host 'vmware (172.16.203.128)' can't be established
  but keys of different type are already known for this host.
  RSA key fingerprint is 02:88:d3:b5:52:3e:a8:3f:4a:fd:3d:fa:99:81:ca:0b.

I can't slogin into that machine unless I accept the RSA key.  So I
investigated a bit and found the following things:

A) running ssh-keyscan against the machine when it's running the previous
  version of sshd gives `no hostkey alg' message whereas it gives the
  correct RSA key when it's running the new version of sshd.

B) If I move away the host_rsa_key* from under /etc/ssh on the machine
   running newer sshd, I can connect to that machine without the warning
   shown above.

C) same thing happens when I try to connect to itself on the machine with
   newer ssh and sshd installed.  however, if I copied the ssh command
   over from 2.0-RELEASE machine and use it to connect to itself (but
   with newer libcrypto and libssh), it doesn't complain about the DSA key.
   note I moved host_rsa_key* files back into the place before doing this.

D) The version information reported by `ssh -V' has nothing to do with the
   ssh command itself, but something else (libssh or /etc/ssh/ssh_config?)

"A" implies that the newer openssh-5.1 fixed the problem in sshd that it
couldn't return RSA key.
"B" together with "C" imply that apparently this is a problem (a bug?)
in ssh command itself, not the shared libraries it's linked against, that
it fails to verify the DSA host key if the server also replies with an RSA
host key.

Any ideas?



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]