On Mon, Jan 26, 2009 at 03:05:47PM +0900, YONETANI Tomokazu wrote: > On Sun, Jan 25, 2009 at 06:50:22PM -0800, Matthew Dillon wrote: > > I think YONETANI reported this a few months ago, but it just started > > happening to me when I upgraded pkgbox. > > > > Something is ignoring the host DSA key when a host RSA key is > > presenting, > > causing a mismatch with a pre-existing known_hosts file. > > > > If I were to say 'yes', then RSA host key would be recorded in my > > known_hosts file. > > > > If I remove the RSA host key file on the server and restart sshd, then > > the client properly negotiates using the DSA host key. > > > > Anyone have any ideas? > > > > -Matt > > Seems like the import of openssh-5.1 reverted the order of the default > hostkey algorithm proposal, which has been part of FreeBSD-local > preferences for many years: > diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h > index 8bdad7b..87a9e58 100644 > --- a/crypto/openssh-5/myproposal.h > +++ b/crypto/openssh-5/myproposal.h > @@ -40,7 +40,7 @@ > "diffie-hellman-group1-sha1" > #endif > > -#define KEX_DEFAULT_PK_ALG "ssh-dss,ssh-rsa" > +#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" > #define KEX_DEFAULT_ENCRYPT \ > "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ > "arcfour128,arcfour256,arcfour," \ > > Note that FreeBSD also got rid of this local change about a month > earlier than we did: > http://docs.freebsd.org/cgi/mid.cgi?200808010253.m712raNF004286 > > So the quick workaround(if you still prefer DSA over RSA) is > to add the following in /etc/ssh_config on ssh clients > > HostKeyAlgorithms ssh-dsa,ssh-rsa
This should read: HostKeyAlgorithms ssh-dss,ssh-rsa (-dss, not -dsa). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |