> On Dec 20, 2016, at 7:32 PM, Craig Rodrigues <rodr...@crodrigues.org> wrote: > > On Tue, Dec 20, 2016 at 6:24 PM, Glyph Lefkowitz <gl...@twistedmatrix.com > <mailto:gl...@twistedmatrix.com>> wrote: > > > > So... is this because buildbot.twistedmatrix.com > <http://buildbot.twistedmatrix.com/> has an RSA key as well, and when it > offers it, our checking isn't correctly comparing the type before deciding > that it doesn't match, or allowing for multiple keys? I notice that if I > manually add the RSA key and delete the ECDSA key it seems to work. > > -g > > > > Yes, that is part of it. > What is happening is that the conch client sends a MSG_KEXINIT > packet to the server to negotatiate what the host key should be. > If I use an OpenSSH ssh client to connect to OpenSSH sshd server, > the negotiated host key algorithm is ecdsa-sha2-nistp256. > > If I use a conch client to connect to the OpenSSH sshd server, > the negotiated host key algorithm is ssh-rsa. > > I started a test instance of the sshd server with: > > /usr/sbin/sshd -p 9000 -d -d -d > > and captured the logs (see attached). > > I think some problems are: > (1) conch proposes a list of host key algorithms in a different order than > OpenSSH. It shouldn't matter, but conch proposes ssh-rsa first, > while OpenSSH proposes it last. > (2) OpenSSH client seems to be able to receive multiple host keys back > from the server, and can match the one it has.
Can you file a new ticket for each of these? The ordering thing seems super low priority, but not being able to receive multiple host keys is definitely a spec violation. Thanks for figuring it out, -glyph
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
