On 2015-12-08 20:33:27 -0800, Russ Allbery wrote: > I think Colin is still working on making sure this change is visible > enough to everyone it affects, but see the changelog in openssh-client: > > - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by > default at run-time. These may be re-enabled using the instructions > at http://www.openssh.com/legacy.html
I actually saw this page after googling the error message (not very easy because with lftp, the error message disappears very quickly, the part about ssh-dss isn't even visible with a 80-column terminal). This should have been put at least in the NEWS.Debian file. > It sounds like the remote host to which you're trying to connect only > offers ssh-dss keys, which are no longer supported by default (following > upstream) because they're not very secure. This from is a SSH server for Android (and the user doesn't seem to have a choice for the type of the host key). > This is unrelated to host key checking or IP checking. It's about the > type of underlying crypto being used to secure the connection. According to what is documented, this appears to be related to host key checking: the error mesage is "no matching *host key* type found" and the option name is HostKeyAlgorithms. In what way it could be insecure in the case where the user doesn't have the key in the ~/.ssh/known_hosts file? -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
