On Fri, May 18, 2012 at 01:58:01PM -0700, Jason Usher wrote: > > > --- On Thu, 5/17/12, Jason Hellenthal <jhellent...@dataix.net> wrote: > > > On Thu, May 17, 2012 at 04:26:38PM -0700, Jason Usher > > wrote: > > > > > > > > > --- On Thu, 5/17/12, Jason Hellenthal <jhellent...@dataix.net> > > wrote: > > > > > > > > That is not the standard "key mismatch" error > > that you > > > > assumed it was.? Look at it again - it is saying > > that > > > > we do have a key for this server of type DSA, but > > the client > > > > is receiving one of type RSA, etc. > > > > > > > > > > The keys are the same - they have not changed > > at all - > > > > they are just being presented to clients in the > > reverse > > > > order, which is confusing them and breaking > > automated, > > > > key-based login. > > > > > > > > > > I need to take current ssh server behavior > > (rsa, then > > > > dss) and change it back to the old order (dss, > > then rsa). > > > > > > > > Have you attempted to change that order via > > sshd_config and > > > > placing the > > > > DSA directive before the RSA one ? > > > > > > > > > sshd_config has no such config directive.? > > ssh_config does, but that's for clients, and I have no way > > to interact with the clients. > > > > > > It would indeed be very nice if this key order, which > > seems like a prime candidate for configuration, was a > > configurable option in sshd_config, but it is not. > > > > > > I am fairly certain that I need to hack up some source > > files, and I thought I had it with myproposal.h (see link in > > OP) but there must be more, because that small change does > > not fix things... > > > > You don't have any of this in your config ? > > > > # HostKey for protocol version 1 > > #HostKey /usr/local/etc/ssh/ssh_host_key > > # HostKeys for protocol version 2 > > HostKey /usr/local/etc/ssh/ssh_host_rsa_key > > #HostKey /usr/local/etc/ssh/ssh_host_dsa_key > > #HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key > > > Yes, but that doesn't help, for reasons I mentioned earlier. > > Simply removing RSA functionality would (of course) cause it to stop > presenting RSA keys first, but what about clients who (for whatever reason, > who knows) negotiated RSA keys previously ? Then they would break. > > This is a very simple requirement: > > OpenSSH server used to present keys in the order: DSA first, then RSA. I > need to get back to that same behavior. > > How do I do that ?
Not sure if you missed what I was saying or if I read that correctly. But have you tried it in this order ? HostKey /usr/local/etc/ssh/ssh_host_key HostKey /usr/local/etc/ssh/ssh_host_dsa_key HostKey /usr/local/etc/ssh/ssh_host_rsa_key HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key ??? Just for brevity. -- - (2^(N-1)) _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
