[Bug 747] host authentication requires RSA1 keys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Oct 23 06:36:36 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=747
------- Additional Comments From gbburkhardt at aaahawk.com 2003-10-23 06:36 -------
I realize now that the source of my confusion was that the default for ssh on
one machine was protocol 1, and on the other, protocol 2. So the bit in the ssh
man page that says:
"If the server machine does not have the
client's host key in /etc/ssh/ssh_known_hosts, it can be stored
in $HOME/.ssh/known_hosts. The easiest way to do this is to con-
nect back to the client from the server machine using ssh; this
will automatically add the host key to $HOME/.ssh/known_hosts."
didn't work.
I believe that the documentation could be improved by adding something like
this to the ssh man page, where the /etc/ssh/ssh_known_hosts file is discussed:
/usr/local/etc/ssh_known_hosts
Systemwide list of known host keys. This file should be prepared
by the system administrator to contain the public host keys of
all machines in the organization. This file should be world-
readable. This file contains public keys, one per line, in the
following format (fields separated by spaces): system name, pub-
lic key and optional comment field. When different names are
used for the same machine, all such names should be listed, sepa-
rated by commas. The format is described on the sshd(8) manual
page.
If the system wide ssh_known_hosts file is to be used for protocol 1
Rhosts RSA Authentication, there must be an entry with an RSA1 key
and the IP address of the machine as a system name. For use with
protocol 2 host based authentication, the entry must have an RSA key
and the IP address as a system name. 'ssh-keyscan' can be used to
obtain the key from the host with the appropriate type, e.g.,
ssh-keyscan -t rsa1 ip-address >> /usr/local/etc/ssh_known_hosts
I haven't been able to find anywhere in the documentation that it's required
that the IP address of the machine be listed as a system name.
There a short reference in the sshd_config man page to which key is used by
which protocol, and others in the ssh-keygen/ssh-keyscan utilities, but it
can't hurt to note that in the ssh_known_hosts files, separate keys are
required if the server is to handle both protocols.
Thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list