Neuser, Philipp
2017-Mar-14 20:45 UTC
ssh-client should always revoke ssh-dss keys not only when coming from the agent
Hi! when calling ssh-add on a dsa key i'm asked for passphrase and the key is perfectly accepted and listed by ssh-agent. A dsa key is also used by ssh-client when found in home directory and passphrase entered is correct. But a dsa key offered to ssh-client by ssh-agent is skipped as long as ssh-dss is not listed in PubkeyAcceptedKeyTypes. debug1: Skipping ssh-dss key /home/XXXX/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/XXXX/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 535 debug1: Trying private key: /home/XXX/.ssh/id_dsa Enter passphrase for key '/home/XXX/.ssh/id_dsa': debug1: Authentication succeeded (publickey). This results in a strange behavior to users. You are asked for your passphrase by agent and again by ssh-client and nobody tells you that you should not use a dsa key anymore. Shouldn't ssh client also reject dsa keys found in home as long as ssh-dss is not listed in PubkeyAccpetedKeyTypes or reject when trying to add keys to ssh-agent? Regards, Philipp Neuser