Hi guys, I'm working on a project which concern SSH and there is something i don't understand about server authentication. So I explain my problem: - When you authorize only RSA keys in the sshd_config on the server, you need to have the RSA public key of this server in the known_hosts file of the client. This is absolutely normal. - When you authorize only DSA keys in the sshd_config on the server, you need to have the DSA public key of this server in the known_hosts file of the client. This is also absolutely normal. - But when you authorize both RSA and DSA keys, you are obliged to have the RSA public key in the known_hosts file, without it fails. If there is only DSA in the known_hosts file it fails, and this is that I don't understand. Why the server authentication doesn't work with the DSA key when both DSA and RSA are authorize. (Of course if both are present in the known_host file, it works). So if somebody can help me about this, it will be nice ;) I've read lot of documentation, a little the 4 RFC but I haven't found the answer to my question. Steeve
no ideas about my problem ? I don't known where i can found the answer so i need your help On Tue, Sep 8, 2009 at 12:08 AM, Steeve BARBEAU <petfire85 at yahoo.fr> wrote:> > Hi guys, > > I'm working on a project which concern SSH and there is something i don't > understand about server authentication. So I explain my problem: > > - When you authorize only RSA keys in the sshd_config on the server, you > need to have the RSA public key of this server in the known_hosts file of > the client. This is absolutely normal. > > - When you authorize only DSA keys in the sshd_config on the server, you > need to have the DSA public key of this server in the known_hosts file of > the client. This is also absolutely normal. > > - But when you authorize both RSA and DSA keys, you are obliged to have the > RSA public key in the known_hosts file, without it fails. If there is only > DSA in the known_hosts file it fails, and this is that I don't understand. > Why the server authentication doesn't work with the DSA key when both DSA > and RSA are authorize. (Of course if both are present in the known_host > file, it works). So if somebody can help me about this, it will be nice ;) > I've read lot of documentation, a little the 4 RFC but I haven't found the > answer to my question. > > Steeve > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Is there some OpenSSH developers or SSH experts who know what is the problem ? On Thu, Sep 17, 2009 at 11:31 PM, Douglas E. Engert <deengert at anl.gov>wrote:> If you reword you question as to how to have RSA *or* DSA you might be a > response. > You may have found a bug, as I would not expect it to require RSA *and* > DSA.Is it a bug like says Douglas ? Have you ever had this problem ?
Please help me ... . I suppose that OpenSSH developers know how it works because they have implement it. Is this in a RFC ? if yes, which RFC ? Thanks
Sounds like a bug...is this causing severe problems for you? On Wed, Sep 30, 2009 at 12:01 AM, Steeve BARBEAU <petfire85 at yahoo.fr> wrote:> Please help me ... . I suppose that OpenSSH developers know how it works > because they have implement it. > > Is this in a RFC ? if yes, which RFC ? > > Thanks > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
On Mon, 7 Sep 2009, Steeve BARBEAU wrote:> > Hi guys, > > I'm working on a project which concern SSH and there is something i >don't understand about server authentication. So I explain my problem: > > - When you authorize only RSA keys in the sshd_config on the server, >you need to have the RSA public key of this server in the known_hosts >file of the client. This is absolutely normal. > > - When you authorize only DSA keys in the sshd_config on the server, >you need to have the DSA public key of this server in the known_hosts >file of the client. This is also absolutely normal. > > - But when you authorize both RSA and DSA keys, you are obliged to >have the RSA public key in the known_hosts file, without it fails. If >there is only DSA in the known_hosts file it fails, and this is that I >don't understand. Why the server authentication doesn't work with the >DSA key when both DSA and RSA are authorize. (Of course if both are >present in the known_host file, it works). So if somebody can help me >about this, it will be nice ;)When the server offers both ssh-rsa and ssh-dss server key types, the client's preference determines what is acutally used. Since the client offers ssh-rsa,ssh-dss by default (controllable via HostKeyAlgorithms), RSA will always win if the server supports it. It might be possible to look for a DSA key in known_hosts and change the order if one is found without a corresponding RSA key, but I don't really see much point. -d
So, I've tried your modification but it doesn't work, I'll search and I hope I'll find the solution. Thanks for your help Dan and Damien On Fri, Oct 2, 2009 at 8:36 AM, Dan Kaminsky <dan at doxpara.com> wrote:> Go into your OpenSSH source, hostfile.c. > > Find the line: > > if (!hostfile_check_key(kbits, found, host, filename, > linenum)) > continue; > > Right before it, add: > > if(key != NULL && > found != NULL && > key->type != found->type) { continue; } > > Alternatively I'll gin you up a patch file if you tell me what build > you want me to make one against. > > NO IDEA if this'll work but I think it hits what you're talking about. > > On Fri, Oct 2, 2009 at 8:24 AM, Steeve BARBEAU <petfire85 at yahoo.fr> wrote: > > Yes of course. > > > > >