Re: SSH v3.7.1p2 client not failing back to SSH v1

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 12/22/03

  • Next message: Peter Kennard: "Re: Achieving tunneling convenience" 
    Date: Mon, 22 Dec 2003 11:47:04 +1100
To: David Cress <dcress@web.turner.com>

    David Cress wrote:
    > Some of our users only have SSH V1 keys. They've been using these for a
    > long time, so forcing them to create v2 keys and spam the keys to all
    > 750+ machines is not going to happen overnight.
    >
    > When an OpenSSH v3.7.1p2 client with only a v1 key tries to ssh to a
    > v3.7.1p2 server where they only have a v1 public key they can no longer
    > use public key auth. It drops them to passwd login.
    >
    > Now if I do 'ssh -1 server' this works fine. If I set up ssh_config to
    > try SSH v1 first, the v2 it works fine. We want the machines to try v2
    > first and if that fails, then try v1, then passwd.

    The decision to use Protocol 1 or 2 is the first one the client takes,
    before deciding which authentication method to use. It can't change the
    Protocol version without reconnecting.

    You can set "Protocol 1,2" in ssh_config or the user's ~/.ssh/config to
    prefer v1 connections (or vice versa, and per-host if necessary), and
    you can set which authentications you want within each protocol (eg
    PreferredAuthentications for SSHv2) but you can't switch SSH protocol
    versions mid-authentication.

    [snip debug]
    That's an SSHv2 connection. You can't use an SSHv1 key to authenticate
    an SSHv2 connection (at least, with OpenSSH, not sure about others). 

    -- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
  • Next message: Peter Kennard: "Re: Achieving tunneling convenience"

    Relevant Pages

    • Re: SSH - securing the port
      ... >> that SSH is not secure. ... >> open telnet but it does open negotiate crypto method and passes keys ... Passing keys ... If you don't trust the IKE protocol for key exchanges, ...
      (comp.unix.solaris)
    • Re: CVS and version 9.0
      ... I this OpenSSH version is removed kerberos support from protocol SSH1, ... users who use identity keys for remote login with passphrases. ... ssh-add is called and doesn't have a real TTY, ...
      (alt.os.linux.suse)
    • Re: public key authentication
      ... > to another server running sshd. ... # no, you can put "RSAAuthentication" to no, since that's Protocol 1 ... ssh is a popular target with the script kiddies right now. ... Putting passwords on the keys is up to you. ...
      (comp.security.ssh)
    • XP APIPA unsolved Mystery Till date ????
      ... Reinstall of the TCP/IP protocol to restore Winsock functionality ... Go to both of the following keys, export each of them, and then ... Click Protocol, then Add ...
      (microsoft.public.windowsxp.network_web)
    • RE: The string universal unique identifier (UUID) is invalid.
      ... The issue may be caused by a corrupt winsock or TCP/IP ... Delete corrupted registry keys and reinstall TCP/IP protocol. ...
      (microsoft.public.windowsxp.network_web)