Chris, I wonder if there might be a better way to do this. Your patch basically emasculates the whole point of host-key verification: if the key differs, things should blow up, otherwise there is the danger of a "man in the middle" attack.
Now, if your server has both an RSA and a DSA key, maybe a way needs to be found so that Net::SSH chooses the correct key (or passes both to the host key verifier somehow). I'm not sure either of those options are actually feasible (it's been a long time since I've been in that neck of the Net::SSH woods), but it might be educational to look at how openssh works in this situation. At any rate, I'm really, really strapped for time at the moment, so it might be some weeks before I have a chance to address this further. I'd really love for a hero to swoop in and make this work in the meantime. :) - Jamis Buck [EMAIL PROTECTED] On May 10, 2007, at 7:30 AM, Chris Andrews wrote: > Hi, > > I think I've figured out why we're sometimes seeing hostkey > verification problems -- it's happening when a server has both a > DSA and an RSA hostkey, and you've already got one, but not both of > them in your ~/.ssh/known_hosts from using openssh. > > Net-SSH comes along and happens to get the other one, and the logic > is such that when we already have a key that matches on host, ip > and port, but doesn't match on type, we report a mismatch rather > than just adding the key. > > If the logic in host-key-verifier.rb's verify method was adjusted > to just add the new key, rather than reporting a verify fail, that > would be more like how openssh behaves (it actually points out that > you have the "other" key). > > Patch attached - tested on Linux only though. > > > Chris. > > > > > > <host-key-verifier.diff> --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
