Re: SSH v3.7.1p2 client not failing back to SSH v1
From: Darren Tucker (dtucker_at_zip.com.au)
Date: Mon, 22 Dec 2003 11:47:04 +1100 To: David Cress <firstname.lastname@example.org>
David Cress wrote:
> Some of our users only have SSH V1 keys. They've been using these for a
> long time, so forcing them to create v2 keys and spam the keys to all
> 750+ machines is not going to happen overnight.
> When an OpenSSH v3.7.1p2 client with only a v1 key tries to ssh to a
> v3.7.1p2 server where they only have a v1 public key they can no longer
> use public key auth. It drops them to passwd login.
> Now if I do 'ssh -1 server' this works fine. If I set up ssh_config to
> try SSH v1 first, the v2 it works fine. We want the machines to try v2
> first and if that fails, then try v1, then passwd.
The decision to use Protocol 1 or 2 is the first one the client takes,
before deciding which authentication method to use. It can't change the
Protocol version without reconnecting.
You can set "Protocol 1,2" in ssh_config or the user's ~/.ssh/config to
prefer v1 connections (or vice versa, and per-host if necessary), and
you can set which authentications you want within each protocol (eg
PreferredAuthentications for SSHv2) but you can't switch SSH protocol
That's an SSHv2 connection. You can't use an SSHv1 key to authenticate
an SSHv2 connection (at least, with OpenSSH, not sure about others).
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.