https://bugzilla.mindrot.org/show_bug.cgi?id=3219
--- Comment #3 from Damien Miller <[email protected]> --- (In reply to jatjasjem from comment #2) > I am not sure what would be the use of multiple host keys of the > same type if > only one is offered at the same time. It the protocol doesn't allow > retrying > using a different host key, perhaps the server could refuse to start > if given > several host keys of the same type? No, because we have a protocol extension (UpdateHostkeys) that makes multiple host keys of the same type actually useful, e.g. gracefully rotating keys. > In either case, while is possible to connect using different ECDSA > keys, the > algorithms must be specified explicitly. This seems to be due to the > fact that > given an ECDSA key `order_hostkeyalgs` in `sshconnect2.c` will > return all > ECDSA host key algorithms, including the ones incompatible with the > key. This, > in turn, seems to be due to the fact that OpenSSH considers the > three ECDSA > keys as being of the same type. > > Since you can't verify e.g. ECDSA nistp521 signature using > "ecdsa-sha2-nistp384", perhaps OpenSSH could view the ECDSA keys as > different ones? Yes, I'll fix that. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
