Re: OpenSSH: which public keys are required/recommended?

From: Richard Silverman (res@des.jhy.us.ml.com)
Date: 03/27/02 

From: Richard Silverman <res@des.jhy.us.ml.com>
Date: 27 Mar 2002 17:09:32 -0500

>>>>> "DM" == Dimitri Maziuk <dima@127.0.0.1> writes:

    DM> What I noticed after upgrading to OpenSSH 3.1 is that if a host
    DM> has DSA key but no RSA key in authorized_keys2, ssh will barf. So
    DM> there is a reason to prefer RSA keys -- they seem to work better.
    DM> I'm not sure if it is a bug or a feature.

An authorized_keys file contains not host keys, but rather user keys.
Perhaps you meant the known_hosts file? And it would be more helpful if
you would give an explicit error message, rather just saying it, uh --
"barfs."

I will make a guess, and say that perhaps you're seeing the client
complain about not being able to confirm the server identity. If the
server offers both DSA and RSA host keys, and you have only the DSA one,
this will happen, because by default the client selects the RSA one.
Using "ssh -o HostKeyAlgorithms=ssh-dss ..." would get around this issue. 

-- 
 Richard Silverman
 slade@shore.net

Relevant Pages

  • Re: ssh host key inconsistency
    ... but our sshd is only using the DSA key. ... we intentionally do not use the RSA host key by default. ... for protocol version 2. ... These three files contain the private parts of the host keys. ...
    (FreeBSD-Security)
  • RE: OpenSSH question of server keys on FreeBSD
    ... On my host, I support ssh protocol 2, so I only have DSA and RSA host keys. ... If I had an RSA1 host key it would read like this in my sshd_config: ...
    (SSH)
  • RE: Hostkeys for Interfaces?
    ... I thought by default SSH uses rsa host keys irrespective of order of files ... > sshd_configmentions the possible of having multiple ... "ssh-rsa", "rsa1", etc. sshd use first listed in configuration. ...
    (SSH)