On Mon, May 21, 2012 at 09:18:32AM -0700, Jason Usher wrote:
> 
> Folks,
> 
> Is there a better list for this - perhaps freebsd-security ?
> 
> I originally posted to -hackers because it *appears* that reverting "rsa, 
> then dsa" to "dsa, then rsa" was a simple change to myproposal.h, but since 
> that doesn't work, and since I haven't gotten any replies here ...
> 
> Thoughts ?

OpenBSD ?

http://www.openssh.org/list.html

> 
> 
> --- On Thu, 5/17/12, Jason Hellenthal <jhellent...@dataix.net> wrote:
> 
> > > > > I have some old 6.x FreeBSD systems that need
> > their
> > > > OpenSSH upgraded.
> > > > > 
> > > > > Everything goes just fine, but when I am
> > done, existing
> > > > clients are now presented with this message:
> > > > > 
> > > > > 
> > > > > WARNING: DSA key found for host hostname
> > > > > in /root/.ssh/known_hosts:12
> > > > > DSA key fingerprint
> > 4c:29:4b:6e:b8:6b:fa:49.......
> > > > > 
> > > > > The authenticity of host 'hostname
> > (10.1.2.3)' can't be
> > > > established
> > > > > but keys of different type are already known
> > for this
> > > > host.
> > > > > RSA key fingerprint is
> > a3:22:3d:cf:f2:46:09:f2......
> > > > > Are you sure you want to continue connecting
> > (yes/no)
> > > > > 
> > > > 
> > > > You must be using different keys for your server
> > than the
> > > > one that has
> > > > been generated before the upgrade. Just copy your
> > keys over
> > > > to the new
> > > > location and restart the server daemon and you
> > should be
> > > > fine.
> > > > 
> > > > copy /etc/ssh/* -> /usr/local/etc/ssh/
> > > 
> > > 
> > > You didn't read that error message.
> > 
> > Sorry I misread that. Decieving message...
> > 
> > > 
> > > That is not the standard "key mismatch" error that you
> > assumed it was.  Look at it again - it is saying that
> > we do have a key for this server of type DSA, but the client
> > is receiving one of type RSA, etc.
> > > 
> > > The keys are the same - they have not changed at all -
> > they are just being presented to clients in the reverse
> > order, which is confusing them and breaking automated,
> > key-based login.
> > > 
> > > I need to take current ssh server behavior (rsa, then
> > dss) and change it back to the old order (dss, then rsa).
> > 
> > Have you attempted to change that order via sshd_config and
> > placing the
> > DSA directive before the RSA one ?
> > 
> > 
> > -- 
> > 
> >  - (2^(N-1))
> > 

-- 

 - (2^(N-1))

Attachment: pgpwYbPqW1wk8.pgp
Description: PGP signature

Reply via email to