On Thu, May 17, 2012 at 02:17:03PM -0700, Jason Usher wrote: > I have some old 6.x FreeBSD systems that need their OpenSSH upgraded. > > Everything goes just fine, but when I am done, existing clients are now > presented with this message: > > > WARNING: DSA key found for host hostname > in /root/.ssh/known_hosts:12 > DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49....... > > The authenticity of host 'hostname (10.1.2.3)' can't be established > but keys of different type are already known for this host. > RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... > Are you sure you want to continue connecting (yes/no) >
You must be using different keys for your server than the one that has been generated before the upgrade. Just copy your keys over to the new location and restart the server daemon and you should be fine. copy /etc/ssh/* -> /usr/local/etc/ssh/ > > And as you can imagine, existing automated jobs now all fail. > > I have no control over the clients.? Assume the clients cannot be touched at > all. > > So, the good news is, this appears to have been discussed/documented here: > > http://www.mail-archive.com/bugs@crater.dragonflybsd.org/msg04860.html > > ... but I'm afraid that changing that line in myproposal.h BACK TO > ssh-dss,ssh-rsa does not solve the problem.? I did indeed make that change to > myproposal.h, manually, and then build the openssh-portable port, but the > behavior persists. > > If I simply REMOVE the RSA keys, the error goes away, and existing DSA-using > clients no longer bomb out, but this is NOT a good solution for two reasons: > > 1. anytime I HUP, or start sshd, it's going to create new RSA keys for me > > 2. It's possible that some clients out there really have been using RSA all > along (who knows) and now they are completely broken, since RSA is not there > at all. > > I'm more than happy to muck around in the source with further little edits, > just like I did with myproposal.h, but I have no idea what they would be. > > Can anyone help me "make new ssh behave like old one" ? > > Thanks. > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" -- - (2^(N-1))
pgphZW36vGlU7.pgp
Description: PGP signature
