--- On Tue, 5/22/12, Ian Lepore <free...@damnhippie.dyndns.org> wrote:
> Seeing your example config with the commented-out HostKey
> lines made me
> realize that you probably want to have two HostKey lines,
> one for the
> protocol v1 key and another for the dsa key for v2.
> The 6.x server
> added the v1 key and the v2 dsa key by default, so you could
> have
> existing clients relying on a v1 key. Since you now
> have a HostKey
> statement the new server code won't add the v1 key by
> default so you'd
> need to be explicit about it.
>
> Based on examining the code, I think this will be safe
> because the keys
> have different type-names ("rsa1" vs "rsa") so a client
> wanting to use a
> protocol v2 rsa key won't accidentally match the protcol v1
> rsa key
> named in the config file (and it will still match the dsa
> key).
Well, yes - and after restarting sshd, this was made clear:
Stopping sshd.
Starting sshd.
Disabling protocol version 1. Could not load host key
However, those commented out HostKey lines were always commented out - I did
not comment them out. In fact, my change was to uncomment the last one.
Further, I think the:
/etc/ssh/ssh_host_key
key, for protocol v1, is an RSA key, right ? But you are saying it's an older
rsa1 key ?
Ok, I will uncomment both lines now, and it will read:
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_dsa_key
I just tried it and it seems to work (no scary key mismatch messages for DSA
clients)
Thanks.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
