bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-01 20:49 UTC
[Bug 1657] New: Server Authentication when both RSA and DSA are enabled (on the server)
https://bugzilla.mindrot.org/show_bug.cgi?id=1657 Summary: Server Authentication when both RSA and DSA are enabled (on the server) Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: trivial Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: petfire85 at yahoo.fr When the SSH Server use both RSA and DSA, actually (by default) the OpenSSH client is obliged to know the RSA public key of the server. If we change the preference key to use in the ssh_config with the option HostKeyAlgorithms we can choose DSA as default key for the server Authentication. Actually, if in the known_hosts file on the client we have the RSA key of the server and if the client is configured to use the DSA key, the server authentication will failed. Because the SSH client searchs only the default key of the server in the known_host file. When we are in this situation, OpenSSH client tell us that there is a key corresponding to the remote host in the known_hosts file but this key is not the default configured for the client. So it doesn't want use it. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 01:30 UTC
[Bug 1657] Server Authentication when both RSA and DSA are enabled (on the server)
https://bugzilla.mindrot.org/show_bug.cgi?id=1657 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #1 from Damien Miller <djm at mindrot.org> 2011-05-06 11:30:25 EST --- As of OpenSSH-5.7, the ssh client will not automatically prefer to use host key types that it actually has hostkeys for. So it should automatically do the right thing and avoid hostkey warnings if the server advertises things in a different way. Unfortunately, the SSH protocol can only attempt one hostkey type per connection and has no way for a server to tell a client its full list of hostkeys. We might look at making a protocol extension in the future to allow the server to tell the client of its full list of hostkeys. For now, you should let the client select the host key algorithm automatically and it will do the right thing. If you want to override the host key algorithm, then it is your responsibility to obtain the other host keys and place them in known_hosts (either manually or by accepting the "new hostkey" message) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-May-06 01:36 UTC
[Bug 1657] Server Authentication when both RSA and DSA are enabled (on the server)
https://bugzilla.mindrot.org/show_bug.cgi?id=1657 --- Comment #2 from Damien Miller <djm at mindrot.org> 2011-05-06 11:36:18 EST --- err, that should read "As of OpenSSH-5.7, the ssh client will *now* automatically" (i.e. not "not automatically") -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:32 UTC
[Bug 1657] Server Authentication when both RSA and DSA are enabled (on the server)
https://bugzilla.mindrot.org/show_bug.cgi?id=1657 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> 2011-09-06 15:32:47 EST --- close resolved bugs now that openssh-5.9 has been released -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- ECDSA and first connection; bug?
- Question about Server Authentication
- [Bug 3627] New: openssh 9.4p1 does not see RSA keys in know_hosts file.
- Possible problem with hostbased protocol 1 rhosts authentication
- [Bug 3157] New: known_hosts @cert-authority with legacy plain key entry drops incorrect set of HostKeyAlgorithms