[Bug 746] host authentication requires RSA1 keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Oct 21 09:17:15 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=746
Summary: host authentication requires RSA1 keys
Product: Portable OpenSSH
Version: 3.7p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: gbburkhardt at aaahawk.com
The documentation indicates that /etc/ssh/ssh_known_hosts can be built from
entries in the per-user ~/.ssh/known_hosts file. However, the entry must have
an RSA1 key; any other key type will not work.
In the 'ssh' man page:
"If the server machine does not have the
client's host key in /etc/ssh/ssh_known_hosts, it can be stored
in $HOME/.ssh/known_hosts. The easiest way to do this is to con-
nect back to the client from the server machine using ssh; this
will automatically add the host key to $HOME/.ssh/known_hosts."
The key put in the user's known_hosts file is 'ssh-rsa', which will not work for
host based authentication in /etc/ssh/ssh_known_hosts.
In monitor.c, at about line 962 the type of the key passed to key_read() is
fixed:
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
allowed = options.rhosts_rsa_authentication &&
auth_rhosts_rsa_key_allowed(authctxt->pw,
cuser, chost, key);
In addition, the host's IP address is required in the key definition
in /etc/ssh/ssh_known_hosts; the symbolic host name won't work.
Here's a workaround, that could be included in the documentation:
Here's a workaround for the problem. Use
ssh-keyscan -t rsa1 192.168.2.30 > ssh_known_hosts
where the actual host's IP address should be substituted for "192.168.2.30".
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list