Upgrading from ssh to openssh (1.2pre12)... Solved...

Michael H. Warfield mhw at wittsend.com
Tue Nov 16 03:23:51 EST 1999 

	Never mind...  Solved the problem myself...

On Mon, Nov 15, 1999 at 10:55:30AM -0500, Michael H. Warfield wrote:
> Hello all,

> 	I've just tried my first attempt at migrating from ssh (1.2.27)
> to openssh.  I got 1.2pre12 to compile and install from the source RPM's.
> Just ran into one royal pain of a problem.  Sshd won't start!  It doesn't
> seem to like my old host keys.

> 	I get the following error in syslog:

> Nov 15 10:45:38 alcove sshd[21731]: fatal: cipher_set_key: unknown cipher: 1

	Problem was that the host key was encrypted with idea (old method)
and idea isn't supported at this time in openssh.

> 	Now...  What's wrong and how do I fix it?  The logistics of blowing
> away everybodies ssh_known_hosts files for hosts and individuals makes
> regening keys impractical.  Potentially, the number of hosts which would
> end up with new host keys are several dozen.  The number of individuals
> who would have the subsequent "host keys has changed" error inflicted
> upon them could be several hundred.

	The key in question was pre 1.2.8 (yes, I've worked with ssh
back that far - that's why you find me listed in the README.Ylonen
file in "ACKNOWLEDGEMENTS").  I just had to run the OLD ssh-keygen
with the -u option to update the key from idea encryption to 3des
encryption.  Fortunately, the old ssh-keygen program was still sitting
in /usr/local/bin and hadn't been clobbered when I installed from the
RPMs.  :-)

	The old key was working fine with ssh 1.2.27 because it
had idea support compiled in, even though all new keys since 1.2.8
were encrypted with 3des.

> 	I couldn't find anything in any of the readme files regarding
> migration problems or solutions.

	You might want to note this little "gotcha" in the README files.
The rpm upgrade prep process should also probably check for ssh_* and
sshd_* files in /etc/ instead of /etc/ssh/ to help ease the upgrade pain.

	The new ssh-keygen also can not upgrade the keys because it also
does not support idea!  If you experience the misfortune of blowing away
the old ssh-keygen program, you will have to go back to ssh-1.2.27 and
rebuild an ssh-keygen binary from that in order to upgrade the key.  Would
it be too much to ask or too much of a patent violation to add the ability
to decrypt the old files for purposes of upgrading?  No encryption, just
decrypt idea in ssh-keygen would be nice.  That could, at least, avoid the
catch-22 with really old keys.

	Now I just have to write a magic script to run around running
"ssh-keygen -u" for the host keys on all my servers, before begining
the openssh upgrade process.  Sigh...  User identity files are going
to be another matter, but I don't think that there are too many of them
that predate 1.2.8, fortunately...  :-)

> 	Mike
> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the openssh-unix-dev mailing list