Re: OpenSSH: which public keys are required/recommended?

From: Dimitri Maziuk (dima@127.0.0.1)
Date: 03/28/02

  • Next message: Peter Smith: "Multicast packet tunneling" 

    From: Dimitri Maziuk <dima@127.0.0.1>
Date: Thu, 28 Mar 2002 01:17:51 +0000 (UTC)

    begin 666 Richard Silverman:
    >>>>>> "DM" == Dimitri Maziuk <dima@127.0.0.1> writes:
    >
    > DM> What I noticed after upgrading to OpenSSH 3.1 is that if a host
    > DM> has DSA key but no RSA key in authorized_keys2, ssh will barf. So
    > DM> there is a reason to prefer RSA keys -- they seem to work better.
    > DM> I'm not sure if it is a bug or a feature.
    >
    > An authorized_keys file contains not host keys, but rather user keys.
    > Perhaps you meant the known_hosts file?

    Yes. Sorry, brane fart.

    ...And it would be more helpful if
    > you would give an explicit error message, rather just saying it, uh --
    > "barfs."

    See below.

    > I will make a guess, and say that perhaps you're seeing the client
    > complain about not being able to confirm the server identity. If the
    > server offers both DSA and RSA host keys, and you have only the DSA one,
    > this will happen, because by default the client selects the RSA one.

    Yep, that's what happened, with the usual "authenticity of host cannot
    be established" message.

    > Using "ssh -o HostKeyAlgorithms=ssh-dss ..." would get around this issue.

    Well, I just generated RSA host keys for affected hosts.

    <Curious>
    We have a bunch of admin scripts that run via ssh from a central server
    (cron jobs). I wonder what would've happened if I didn't test the upgrade
    & generate missing RSA keys. Would those cron jobs just sit there waiting
    for "yes or no" until cron run queue overflowed (or server's process table,
    whichever comes first) a few days later?
    </Curious>

    Dima 

    -- 
Riding roughshod over some little used trifle like the English language is not a
big deal to an important technology innovator like Microsoft. They did just that
by naming a major project dot-Net (".Net").  Before that, a period followed by a
capital letter was used to mark a sentence boundary. --T. Gottfried, RISKS 21.91

    Relevant Pages

    • ssh behavior changes after upgrade to 4.1-portable
      ... Hey all, I just upgraded to the latest 4.1-portable openssh, and now ... DSA key found for host prime.gushi.org ... The authenticity of host 'prime.gushi.org ' can't be ... but keys of different type are already known for this host. ...
      (freebsd-questions)
    • Re: Central key-management for openssh
      ... I don't know if it matters what host you are on when you run ... What I would do in your case is to run ssh-keygen in your post install ... which will install the keys whereever you'd like, or you can install an rc ... quantity of servers is to build the servers without the keys, ...
      (comp.security.ssh)
    • Re: Handling SSH yes/no message
      ... > RP> days) and each time the box is rebuilt, new SSH keys are generated ... Soon after the rebuild, the box wont let me ssh ... > RP> the entry for the remote host. ... > host keys... ...
      (comp.security.ssh)
    • Re: How can I configure to run as root all the time ?
      ... Thanks for responding to my query related to SSH. ... NCP1 is a host with some defined IP address like 10.1.1.201. ... I want to run ssh/scp as root because the keys will be generated by ...
      (comp.security.ssh)
    • Re: Client connect without host service running?
      ... Incoming clients cannot connect via ssh unless openssh is running. ... openssh caches the keys in memory... ... I went to the ssh client and compared the host ...
      (comp.security.ssh)