openssh bugs - Oct 2009 - [Bug 1657] New: Server Authentication when both RSA and DSA are enabled (on the server)

https://bugzilla.mindrot.org/show_bug.cgi?id=1657

           Summary: Server Authentication when both RSA and DSA are
                    enabled (on the server)
           Product: Portable OpenSSH
           Version: 5.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: petfire85 at yahoo.fr


When the SSH Server use both RSA and DSA, actually (by default) the
OpenSSH client is obliged to know the RSA public key of the server. If
we change the preference key to use in the ssh_config with the option
HostKeyAlgorithms we can choose DSA as default key for the server
Authentication.

Actually, if in the known_hosts file on the client we have the RSA key
of the server and if the client is configured to use the DSA key, the
server authentication will failed. Because the SSH client searchs only
the default key of the server in the known_host file.

When we are in this situation, OpenSSH client tell us that there is a
key corresponding to the remote host in the known_hosts file but this
key is not the default configured for the client. So it doesn't want
use it.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1657

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-05-06 11:30:25
EST ---
As of OpenSSH-5.7, the ssh client will not automatically prefer to use
host key types that it actually has hostkeys for. So it should
automatically do the right thing and avoid hostkey warnings if the
server advertises things in a different way.

Unfortunately, the SSH protocol can only attempt one hostkey type per
connection and has no way for a server to tell a client its full list
of hostkeys. We might look at making a protocol extension in the future
to allow the server to tell the client of its full list of hostkeys.

For now, you should let the client select the host key algorithm
automatically and it will do the right thing. If you want to override
the host key algorithm, then it is your responsibility to obtain the
other host keys and place them in known_hosts (either manually or by
accepting the "new hostkey" message)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1657

--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-05-06 11:36:18
EST ---
err, that should read "As of OpenSSH-5.7, the ssh client will *now*
automatically" (i.e. not "not automatically")

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1657

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-09-06 15:32:47
EST ---
close resolved bugs now that openssh-5.9 has been released

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.