Problem connecting to v2.9.9p2 on Solaris 8

Ed Phillips ed at UDel.Edu
Wed Nov 28 03:11:22 EST 2001


On Tue, 27 Nov 2001 mouring at etoh.eviladmin.org wrote:

> Date: Tue, 27 Nov 2001 09:56:31 -0600 (CST)
> From: mouring at etoh.eviladmin.org
> To: Ed Phillips <ed at UDel.Edu>
> Cc: Markus Friedl <markus at openbsd.org>,
>      OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: Problem connecting to v2.9.9p2 on Solaris 8
>
>
> [..]
> > > > Any ideas what's going wrong here?  From a layman's point of view, it
> > > > would appear that Putty and OpenSSH can't decide on key algorithms... but
> > > > why would this happen?  I use Putty to connect to other
> > > > OpenSSH2.9.9p2/Sol8 installs (the same compiled code) and it works fine...
> > >
> > > the sshd offers a ssh v2 RSA hostkey,
> > > putty says it can only understand ssh v2 DSA hostkeys,
> > > so they cannot agree.
> > >
> > > i suggest to generate a SSH v2 DSA hostkey, too.
> >
> > That's it!  Thanks!  I wasn't aware that Putty only supported DSA in v2...
> > oh well... ;-)
> >
>
> As of 0.51 it supports both RSA and DSA.. Which is kinda funny since the
> author originally railed against DSA and shouted at the top of his lungs
> that he would never support DSA due to the fact it sucks up too my entropy
> to be reliable.

That's strange... I'm using Putty 0.51.  It doesn't seem to support RSA
for SSHV2 connections I guess.  Maybe it's in the "latest development
release" version...

> Rather abrubt 180..
>
> [quote from FAQ]
> A.7.3 How come PuTTY now supports DSA, when the website used to say how
> insecure it was?
>
> DSA has a major weakness if badly implemented: it relies on a random
> number generator to far too great an extent. If the random number
> generator produces a number an attacker can predict, the DSA private key
> is exposed - meaning that the attacker can log in as you on all systems
> that accept that key.
>
> The PuTTY policy changed because the developers were informed of ways to
> implement DSA which do not suffer nearly as badly from this weakness, and
> indeed which don't need to rely on random numbers at all. For this reason
> we now believe PuTTY's DSA implementation is probably OK. However, if you
> have the choice, we still recommend you use RSA instead.

Thanks Ben and Markus!  For now, I've generated a DSA key on the server
side so that Putty can connect.

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list