[Bug 746] host authentication requires RSA1 keys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Oct 21 09:17:15 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=746

           Summary: host authentication requires RSA1 keys
           Product: Portable OpenSSH
           Version: 3.7p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: gbburkhardt at aaahawk.com


The documentation indicates that /etc/ssh/ssh_known_hosts can be built from 
entries in the per-user ~/.ssh/known_hosts file. However, the entry must have
an RSA1 key; any other key type will not work.

In the 'ssh' man page:

"If the server machine does not have the
 client's host key in /etc/ssh/ssh_known_hosts, it can be stored
 in $HOME/.ssh/known_hosts.  The easiest way to do this is to con-
 nect back to the client from the server machine using ssh; this
 will automatically add the host key to $HOME/.ssh/known_hosts."

The key put in the user's known_hosts file is 'ssh-rsa', which will not work for 
host based authentication in /etc/ssh/ssh_known_hosts.

In monitor.c, at about line 962 the type of the key passed to key_read() is
fixed:

		case MM_RSAHOSTKEY:
			key->type = KEY_RSA1; /* XXX */
			allowed = options.rhosts_rsa_authentication &&
			    auth_rhosts_rsa_key_allowed(authctxt->pw,
			    cuser, chost, key);

In addition, the host's IP address is required in the key definition
in /etc/ssh/ssh_known_hosts; the symbolic host name won't work. 

Here's a workaround, that could be included in the documentation:

Here's a workaround for the problem.  Use

        ssh-keyscan -t rsa1 192.168.2.30 > ssh_known_hosts

where the actual host's IP address should be substituted for "192.168.2.30".



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list