Need to revert behavior of OpenSSH to the old key order ...
Jason Hellenthal
jhellenthal at dataix.net
Thu May 17 22:17:15 UTC 2012
On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher wrote:
> I have some old 6.x FreeBSD systems that need their OpenSSH upgraded.
>
> Everything goes just fine, but when I am done, existing clients are now presented with this message:
>
>
> WARNING: DSA key found for host hostname
> in /root/.ssh/known_hosts:12
> DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49.......
>
> The authenticity of host 'hostname (10.1.2.3)' can't be established
> but keys of different type are already known for this host.
> RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2......
> Are you sure you want to continue connecting (yes/no)
>
You must be using different keys for your server than the one that has
been generated before the upgrade. Just copy your keys over to the new
location and restart the server daemon and you should be fine.
copy /etc/ssh/* -> /usr/local/etc/ssh/
>
> And as you can imagine, existing automated jobs now all fail.
>
> I have no control over the clients.? Assume the clients cannot be touched at all.
>
> So, the good news is, this appears to have been discussed/documented here:
>
> http://www.mail-archive.com/bugs@crater.dragonflybsd.org/msg04860.html
>
> ... but I'm afraid that changing that line in myproposal.h BACK TO ssh-dss,ssh-rsa does not solve the problem.? I did indeed make that change to myproposal.h, manually, and then build the openssh-portable port, but the behavior persists.
>
> If I simply REMOVE the RSA keys, the error goes away, and existing DSA-using clients no longer bomb out, but this is NOT a good solution for two reasons:
>
> 1. anytime I HUP, or start sshd, it's going to create new RSA keys for me
>
> 2. It's possible that some clients out there really have been using RSA all along (who knows) and now they are completely broken, since RSA is not there at all.
>
> I'm more than happy to muck around in the source with further little edits, just like I did with myproposal.h, but I have no idea what they would be.
>
> Can anyone help me "make new ssh behave like old one" ?
>
> Thanks.
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
--
- (2^(N-1))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20120517/29e11fe9/attachment.pgp
More information about the freebsd-hackers
mailing list